Vulnerability intelligence
CVE-2026-41940
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CVSS Score
9.8
Critical
EPSS — Exploit Probability
98%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2026-05-03
CISA required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-05-03.
18 articles across 10 outlets · first covered Apr 29, 2026 · latest May 17, 2026
Tracked incidents
Associated threat actors
Coverage timeline
-
Security Affairs Round 97 Covers JDownloader Hacked, TrickMo Risesecurityaffairs.com · May 17, 2026
-
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoorsecurityaffairs.com · May 12, 2026
-
Mr_Rot13 Exploits Critical cPanel Flaw, Deploys Filemanagerthehackernews.com · May 11, 2026
-
New cPanel vulnerabilities could allow file access and remote code executionsecurityaffairs.com · May 10, 2026
-
cPanel fixes bugs enabling code execution or privilege escalationthehackernews.com · May 9, 2026
-
DomainTools Investigations | Cybersecurity Reading List - Week of 2026-05-04dti.domaintools.com · May 7, 2026
-
cPanel auth bypass exploited in Asian gov, MSP attackssecurityaffairs.com · May 4, 2026
-
Attackers Exploit cPanel Flaw, Endangering Millions of Websiteswww.darkreading.com · May 4, 2026
-
Hacker News Weekly: Exploits Outpace Patches, Systems at Risk.thehackernews.com · May 4, 2026
-
Critical cPanel Vulnerability Weaponized to Target Government and MSP Networksthehackernews.com · May 4, 2026
-
Attackers hit over 40k cPanel servers via CVE-2026-41940 flawwww.securityweek.com · May 4, 2026
-
CISA adds critical cPanel auth bypass flaw to KEV cataloguesecurityaffairs.com · May 3, 2026
-
Critical cPanel WHM bypass lets attackers hijack admin accesswww.malwarebytes.com · May 1, 2026
-
“to recover your files, kindly send 0.1 BTC to…” ransom note appears on websitesdatabreaches.net · Apr 30, 2026
-
CISA flags critical cPanel WHM auth flaw allowing remote takeoverwww.cisa.gov · Apr 30, 2026
-
CISA Flags Critical cPanel & WHM Bug CVE‑2026‑41940 Under Attackcisa.gov · Apr 30, 2026
-
Critical cPanel Auth Bypass (CVE-2026-41940) Exposes 1.5M Serverswww.securityweek.com · Apr 30, 2026
-
Critical cPanel Flaw Lets Hackers Hijack Admin Access Remotelywww.rapid7.com · Apr 29, 2026