CVE-2026-41940
Description
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CISA KEV
- Vendor
- WebPros
- Product
- cPanel & WHM and WP2 (WordPress Squared)
- Due date
- 2026-05-03
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/versions/changelog/#13617 ; https://nvd.nist.gov/vuln/detail/CVE-2026-41940"
Vendor advisory: disclosure@vulncheck.com — https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
Vendor advisory: disclosure@vulncheck.com — https://docs.wpsquared.com/changelogs/versions/changelog/#13617
Vendor advisory: disclosure@vulncheck.com — https://docs.cpanel.net/release-notes/release-notes
Exploits
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cpanel | cpanel | {"startIncluding":"11.40","endExcluding":"86.0.41"} | 86.0.41 |
| cpanel | whm | {"startIncluding":"11.40","endExcluding":"86.0.41"} | 86.0.41 |
| cpanel | wp_squared | {"endExcluding":"136.1.7"} | 136.1.7 |
References
- https://docs.cpanel.net/release-notes/release-notes
- https://docs.wpsquared.com/changelogs/versions/changelog/#13617
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
- https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
- https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
- https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
- https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/versions/changelog/#13617 ; https://nvd.nist.gov/vuln/detail/CVE-2026-41940"
CWEs
CWE-306
Verify integrity in audit chain (admin only). AS-IS.