CVE-2026-41940

CRITICAL CISA KEV EPSS 99.9%
Published Apr 29, 20262mo ago · Modified Jun 17, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Apr 29, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Apr 30, 2026 2mo ago
KEV Due May 3, 2026 57d overdue

Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

CISA Known Exploited Overdue 57d
Added
Apr 30, 2026
Due
May 3, 2026

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
99.9% percentile
Exploit & Patch Status
Actively Exploited (KEV)
No Patch Available

Weaknesses 1

CWE-306 Missing Authentication for Critical Function Authentication

Affected Products 19

VendorProductVersionRange
cpanelcpanel*≥11.40  –  <86.0.41
cpanelcpanel*≥88.0.0  –  <110.0.97
cpanelcpanel*≥112.0.0  –  <118.0.63
cpanelcpanel*≥120.0.0  –  <124.0.35
cpanelcpanel*≥126.0.1  –  <126.0.54
cpanelcpanel*≥128.0.0  –  <130.0.19
cpanelcpanel*≥132.0.0  –  <132.0.29
cpanelcpanel*≥134.0.0  –  <134.0.20
cpanelcpanel*≥136.0.0  –  <136.0.5
cpanelwhm*≥11.40  –  <86.0.41
cpanelwhm*≥88.0.0  –  <110.0.97
cpanelwhm*≥112.0.0  –  <118.0.63
cpanelwhm*≥120.0.0  –  <124.0.35
cpanelwhm*≥126.0.1  –  <126.0.54
cpanelwhm*≥128.0.0  –  <130.0.19
cpanelwhm*≥132.0.0  –  <132.0.29
cpanelwhm*≥134.0.0  –  <134.0.20
cpanelwhm*≥136.0.0  –  <136.0.5
cpanelwp_squared* <136.1.7

References 9

  • docs.cpanel.net https://docs.cpanel.net/release-notes/release-notes
    Release Notes
  • docs.wpsquared.com https://docs.wpsquared.com/changelogs/versions/changelog/#13617
    Release Notes
  • github.com https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
    ExploitThird Party Advisory
  • labs.watchtowr.com https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
    ExploitThird Party Advisory
  • support.cpanel.net https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
    Vendor Advisory
  • bleepingcomputer.com https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
    Press/Media Coverage
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940
    US Government Resource
  • namecheap.com https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
    Third Party Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.