CVE-2026-41940
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability - [Actively Exploited]
Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
INFO
Published Date :
April 29, 2026, 4:16 p.m.
Last Modified :
May 4, 2026, 6:09 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Detected May 06, 2026
https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/versions/changelog/#13617 ; https://nvd.nist.gov/vuln/detail/CVE-2026-41940"
Affected Products
The following products are affected by CVE-2026-41940
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | MITRE-CVE | ||||
| CVSS 4.0 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update cPanel and WHM to a patched version.
- Verify successful update.
Public PoC/Exploit Available at Github
CVE-2026-41940 has a 119 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-41940.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-41940 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-41940
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Security research portfolio and responsible disclosure profile
Redacted cPanel/WHM authentication bypass analysis and authorized checker
🚀 CVE-2026-24061 - GNU inetutils-telnetd Auth Bypass Exploit - Full Control 💥 CRLF injection via NEW_ENVIRON leads to auth bypass & instant root shell. ✅ Single/Mass exploitation, multi-threading, custom port/user, pipe mode, session keep-alive, colored output, retries, timeout support. ⚡ Python & Bash versions. Critical CVSS 9.8.
Python Shell
None
Python
CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM. This repository is designed to demonstrate its Proof-Of-Concept
cve cve-2026-41940 cve-2026-41940-poc vulnerability
Python
Modular web vulnerability scanner console (env/config/backups/git exposure + injection + policy engine + integrations).
HTML CSS JavaScript Shell
Automated cPanel exploitation toolkit for authorized security testing
Go Shell
Automated scanner & post-exploitation toolkit for CVE-2026-41940 — cPanel & WHM root authentication bypass via session-file CRLF injection
Python
cPanel/WHM CVE auditor & patcher — May 2026 batch, zero dependencies.
Shell
Private exploit
Python
CVE-2026 PoC Collection - 128 PoCs covering 84 CVEs
Python Dockerfile Shell Java C Makefile Objective-C Rust C++ Go
MITRE ATT&CK TTP Overlap Mapper
Python
Pentest CLI for authorized assessments, HTB boxes, and CTFs. ngehe discovers a target's attack surface — web + non-HTTP services — and tests for the OWASP Top 10 plus common HTB attack vectors (SSH, FTP, SMB, LDAP/AD, Kerberos, default credentials) from a single binary
Go Shell Dockerfile
Proof-of-concept exploits and reproduction labs for CVEs analyzed by the Exploit Intelligence Platform
cves exploits proof-of-concept
Shell Python Java JavaScript Ruby C Go C# PHP GDB
Coleção de skills de segurança ofensiva para Claude Code metodologia PTES completa com AWS/IAM (WorstAssume), pfSense (27+ CVEs), Active Directory, Web Attacks, Palo Alto PAN-OS, AI Agent Audit e LLM Security Testing. Integra AIRecon, Watchtower e hexstrike-local MCP
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-41940 vulnerability anywhere in the article.
-
Proofpoint
More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild
Executive Summary The CVE Landscape Has Changed. The Threat Actors Haven't. Proofpoint's dual telemetry streams — targeted attack visibility covering hundreds of millions of messages daily, and a glob ... Read more
-
The Hacker News
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the ... Read more
-
The Hacker News
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to ... Read more
-
The Hacker News
Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based o ... Read more
-
The Hacker News
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, ... Read more
-
The Hacker News
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CV ... Read more
-
The Hacker News
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild. The former, tracked as CVE-2026-41091, is rated 7.8 on the ... Read more
-
The Hacker News
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a ca ... Read more
-
The Hacker News
Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or infor ... Read more
-
The Hacker News
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a C ... Read more
-
The Hacker News
SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access
Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enabl ... Read more
-
The Hacker News
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw ... Read more
-
The Hacker News
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked ... Read more
-
Daily CyberSecurity
CVSS 10 Alert: Quest KACE SMA Auth Bypass Exploited to Hijack Managed Endpoints
Detailed listing of tools and scripts within the exposed C2 directory | Image: Hunt Cybersecurity researchers have just dropped a report on a critical “management plane” threat that has spent the last ... Read more
-
CybersecurityNews
79 Chrome Vulnerabilities Patched, Including 14 Critical One’s – Update Now!
Google has rolled out a massive security update for its Chrome browser, sealing a staggering 79 vulnerabilities before threat actors can exploit them. With 14 of these flaws rated as critical, browsin ... Read more
-
The Cyber Express
Microsoft May 2026 Patch Tuesday Fixes 120 Vulnerabilities, No Zero-Day Exploits Reported
Microsoft has rolled out its May 2026 Patch Tuesday security updates, delivering fixes for approximately 120 vulnerabilities across Windows, Microsoft Office, networking services, and enterprise platf ... Read more
-
CybersecurityNews
PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access
In a chilling blow to mobile security, Google’s May 2026 Android Security Bulletin has unmasked a catastrophic zero-click vulnerability lurking within the core Android System. The CVE-2026-0073 flaw i ... Read more
-
CybersecurityNews
New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes
A new tool, BitUnlocker, reveals a practical downgrade attack against Microsoft’s BitLocker encryption, allowing attackers with physical access to decrypt protected volumes on patched Windows 11 machi ... Read more
-
CybersecurityNews
Hackers Abuse CVE-2026-41940 to Take Over cPanel and WHM Servers
A fatal authentication bypass vulnerability is actively affecting cPanel and WebHost Manager (WHM) servers worldwide. Tracked as CVE-2026-41940 and bearing an apocalyptic maximum severity score of 9.8 ... Read more
-
The Hacker News
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack ex ... Read more
The following table lists the changes that have been made to the
CVE-2026-41940 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
May. 04, 2026
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 11.40 up to (excluding) 86.0.41 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 88.0.0 up to (excluding) 110.0.97 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 112.0.0 up to (excluding) 118.0.63 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 120.0.0 up to (excluding) 126.0.54 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 128.0.0 up to (excluding) 130.0.19 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 132.0.0 up to (excluding) 132.0.29 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 134.0.0 up to (excluding) 134.0.20 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 136.0.0 up to (excluding) 136.0.5 OR *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 11.40 up to (excluding) 86.0.41 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 88.0.0 up to (excluding) 110.0.97 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 112.0.0 up to (excluding) 118.0.63 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 128.0.0 up to (excluding) 130.0.19 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 132.0.0 up to (excluding) 132.0.29 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 134.0.0 up to (excluding) 134.0.20 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 136.0.0 up to (excluding) 136.0.5 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 120.0.0 up to (excluding) 124.0.35 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 126.0.1 up to (excluding) 126.0.54 Changed CPE Configuration OR *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 11.40 up to (excluding) 86.0.41 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 112.0.0 up to (excluding) 118.0.63 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 120.0.0 up to (excluding) 126.0.54 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 128.0.0 up to (excluding) 130.0.19 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 132.0.0 up to (excluding) 132.0.29 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 134.0.0 up to (excluding) 134.0.20 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 136.0.0 up to (excluding) 136.0.5 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 88.0.0 up to (excluding) 110.0.97 OR *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 11.40 up to (excluding) 86.0.41 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 112.0.0 up to (excluding) 118.0.63 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 128.0.0 up to (excluding) 130.0.19 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 132.0.0 up to (excluding) 132.0.29 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 134.0.0 up to (excluding) 134.0.20 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 136.0.0 up to (excluding) 136.0.5 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 88.0.0 up to (excluding) 110.0.97 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 120.0.0 up to (excluding) 124.0.35 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 126.0.1 up to (excluding) 126.0.54 Added Reference Type CVE: https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/ Types: Exploit, Third Party Advisory Added Reference Type CVE: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/ Types: Press/Media Coverage -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
May. 04, 2026
Action Type Old Value New Value Added Reference https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/ Added Reference https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/ -
Initial Analysis by [email protected]
Apr. 30, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 11.40 up to (excluding) 86.0.41 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 88.0.0 up to (excluding) 110.0.97 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 112.0.0 up to (excluding) 118.0.63 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 120.0.0 up to (excluding) 126.0.54 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 128.0.0 up to (excluding) 130.0.19 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 132.0.0 up to (excluding) 132.0.29 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 134.0.0 up to (excluding) 134.0.20 *cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* versions from (including) 136.0.0 up to (excluding) 136.0.5 Added CPE Configuration OR *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 11.40 up to (excluding) 86.0.41 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 112.0.0 up to (excluding) 118.0.63 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 120.0.0 up to (excluding) 126.0.54 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 128.0.0 up to (excluding) 130.0.19 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 132.0.0 up to (excluding) 132.0.29 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 134.0.0 up to (excluding) 134.0.20 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 136.0.0 up to (excluding) 136.0.5 *cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* versions from (including) 88.0.0 up to (excluding) 110.0.97 Added CPE Configuration OR *cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:* versions up to (excluding) 136.1.7 Added Reference Type VulnCheck: https://docs.cpanel.net/release-notes/release-notes Types: Release Notes Added Reference Type VulnCheck: https://docs.wpsquared.com/changelogs/versions/changelog/#13617 Types: Release Notes Added Reference Type CISA-ADP: https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py Types: Exploit, Third Party Advisory Added Reference Type VulnCheck: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940 Types: US Government Resource Added Reference Type VulnCheck: https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026 Types: Third Party Advisory Added Reference Type VulnCheck: https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow Types: Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Apr. 30, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940 -
CVE Modified by [email protected]
Apr. 30, 2026
Action Type Old Value New Value Changed Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Apr. 29, 2026
Action Type Old Value New Value Added Reference https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py -
New CVE Received by [email protected]
Apr. 29, 2026
Action Type Old Value New Value Added Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-306 Added Reference https://docs.cpanel.net/release-notes/release-notes Added Reference https://docs.wpsquared.com/changelogs/versions/changelog/#13617 Added Reference https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 Added Reference https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026 Added Reference https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow