We have identified a critical security vulnerability that requires your immediate attention and prompt action.
CVE-2026-41940 – Critical Authentication Bypass
A critical vulnerability (CVE-2026-41940) was publicly disclosed affecting ALL supported versions of cPanel & WHM — one of the most widely used web hosting control panels in the world. This flaw carries a CVSS score of 9.8 out of 10 (Critical), and active exploitation has already been confirmed in the wild — meaning attackers are actively targeting servers right now.
WHAT IS THE RISK?
This is an Authentication Bypass vulnerability. It allows unauthenticated remote attackers to gain unauthorized administrative access to your server — without needing a username or password. If exploited, attackers can:
• Take full control of your cPanel & WHM interfaces
• Access, modify, or delete your websites, databases, and email accounts
• Alter server configurations
• Potentially compromise thousands of websites on shared hosting environments
WHAT YOU MUST DO IMMEDIATELY:
1. UPDATE cPanel & WHM to the patched version:
- cPanel & WHM: version 11.136.0.5 or later
- WP Squared: version 136.1.7 or later
You can force an update via command line:
/usr/local/cpanel/scripts/upcp --force
2. RESTRICT network access to cPanel/WHM login ports (2082, 2083, 2086, 2087) using a firewall or IP allowlist until the patch is confirmed installed.
3. REVIEW your server logs for any suspicious login activity or unauthorized access, especially entries from February 23, 2026, onward.
4. RESET credentials for all cPanel, WHM, and root accounts as a precaution.
5. ENABLE Two-Factor Authentication (2FA) on your cPanel account if not already done.
OFFICIAL ADVISORY & FURTHER READING:
Please review the official cPanel security advisory for full technical details and patching instructions:
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
Sincerely,
Technical Team
Websouls
petak, Svibanj 1, 2026
