CVE-2026-41940

Published Apr 29, 2026

Last updated 7 days ago

Exploit knownCVSS critical 9.3
cPanel
WHM

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-41940 is an authentication bypass vulnerability impacting cPanel & WHM and WP Squared products. This flaw allows unauthenticated remote attackers to bypass the login process and gain unauthorized administrative access to affected systems. The vulnerability stems from a Carriage Return Line Feed (CRLF) injection within the login and session loading mechanisms of cPanel & WHM, where an attacker can manipulate the `whostmgrsession` cookie to circumvent encryption. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, including its configurations, databases, and the websites it manages. Security firm watchTowr Labs has published a technical analysis and proof-of-concept exploit for this vulnerability, detailed in their blog post titled "The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)". The vulnerability affects cPanel and WHM versions after 11.40, with patches available in later versions.

Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Source
disclosure@vulncheck.com
NVD status
Analyzed
Products
cpanel, whm, wp_squared

Insights

Analysis from the Intruder Security Team
Published Apr 30, 2026 Updated Apr 30, 2026

cPanel is a very popular hosting framework which is often very difficult to avoid exposing to the internet. The exploit for this weakness gives the attacker root access to cPanel (and from there easy RCE on the system), and the exploit is reliable, well documented, and affects all versions of cPanel except the latest patch. There are well over a million hosts exposed, and though cPanel does have some automated self-upgrade functionality, it can be turned off, and the window before an upgrade (usually up to 24h) is long enough for attacker to have already exploited this weakness. cPanel have provided a script you can use to detect if compromise has already occurred, which can be found here.

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Exploit added on
Apr 30, 2026
Exploit action due
May 3, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

disclosure@vulncheck.com
CWE-306

Social media

Hype score
Not currently trending

  1. 🚨 THREAT INTEL | May 4, 2026 🔴 cPanel auth bypass (CVE-2026-41940) ACTIVELY EXPLOITED 🔴 ScreenConnect RCE (CVE-2024-1708) — 30+ live C2s 🔴 Cisco SD-WAN Emergency Directive 500+ live malware URLs | Mirai, Vidar, LummaStealer active #ThreatIntel #Cybersecurity #SOC ht

    @404LABSx

    4 May 2026

    145 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Top 5 Trending CVEs: 1 - CVE-2026-31431 2 - CVE-2026-41940 3 - CVE-2026-3910 4 - CVE-2024-20359 5 - CVE-2024-20353 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    3 May 2026

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-55182といいCVE-2026-41940といい、なんで俺はCriticalの脆弱性に見舞われるんだ?

    @hrktvl

    1 May 2026

    207 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  4. 🚨 THREAT INTEL | May 1, 2026 PATCH: CVE-2026-41940 cPanel (due May 3) + CVE-2024-1708 ConnectWise RCE ACTIVE: QakBot C2, Vidar, LummaStealer, 500+ malicious URLs NEW: Needle Stealer + PhantomRPC Windows LPE #CyberSecurity #Infosec https://t.co/kJ4xBBgQTp

    @404LABSx

    1 May 2026

    96 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user.CVE-2025-66429
  2. Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.CVE-2009-4823
  3. Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.CVE-2008-7142
  4. Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.CVE-2008-6927
  5. Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter.CVE-2008-6843

References

Sources include official advisories and independent security research.