CVE-2026-41940

Published Apr 29, 2026

Last updated a month ago

Exploit knownCVSS critical 9.3
cPanel
lms
web application
Zero-day
WHM

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-41940 is an authentication bypass vulnerability impacting cPanel & WHM and WP Squared products. This flaw allows unauthenticated remote attackers to bypass the login process and gain unauthorized administrative access to affected systems. The vulnerability stems from a Carriage Return Line Feed (CRLF) injection within the login and session loading mechanisms of cPanel & WHM, where an attacker can manipulate the `whostmgrsession` cookie to circumvent encryption. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, including its configurations, databases, and the websites it manages. Security firm watchTowr Labs has published a technical analysis and proof-of-concept exploit for this vulnerability, detailed in their blog post titled "The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)". The vulnerability affects cPanel and WHM versions after 11.40, with patches available in later versions.

Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Source
disclosure@vulncheck.com
NVD status
Analyzed
Products
cpanel, whm, wp_squared

Insights

Analysis from the Intruder Security Team
Published Apr 30, 2026 Updated Apr 30, 2026

cPanel is a very popular hosting framework which is often very difficult to avoid exposing to the internet. The exploit for this weakness gives the attacker root access to cPanel (and from there easy RCE on the system), and the exploit is reliable, well documented, and affects all versions of cPanel except the latest patch. There are well over a million hosts exposed, and though cPanel does have some automated self-upgrade functionality, it can be turned off, and the window before an upgrade (usually up to 24h) is long enough for attacker to have already exploited this weakness. cPanel have provided a script you can use to detect if compromise has already occurred, which can be found here.

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Exploit added on
Apr 30, 2026
Exploit action due
May 3, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

disclosure@vulncheck.com
CWE-306

Social media

Hype score
Not currently trending

  1. CVE-2026-41940. 0day Intel: Replicating CVE-2026-41940🚀Testing out the critical cPanel & WHM pre-auth b

    @lyrie_ai

    9 Jun 2026

    86 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. 44,000 cPanel servers compromised. CVE-2026-41940 CVSS 9.8: no credentials needed. Sorry ransomware deployed, backups deleted. 1.5M instances still exposed. https://t.co/hi6Gy04edk #cPanel #Ransomware #CyberSecurity #CVE #InfoSec #PatchNow #CISAKEV https://t.co/1aH5ocRhpM

    @DecryptionDigst

    8 Jun 2026

    67 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  3. 🚨 Small Biz Vulnerabilities (June 2) 🚨 1️⃣ cPanel: Auth bypass (CVE-2026-41940) 2️⃣ Plesk: Root flaws (CVE-2026-44962) 3️⃣ GlobalProtect: CISA deadline passed 4️⃣ WordPress: Spectra/WP Maps Pro RCE Stay patched or stay exposed. 🌵🛡️ https://t.co/TY7Nu

    @ustechninja

    6 Jun 2026

    100 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 【主観的_最新のインシデント傾向】 レンタルサーバーのサービスも攻撃されています ログの種類やバックアップ手順は業者任せにせず確認しましょう ・NGINX/Apache HTTP/2 Bomb (CVE-2026-49975) ・cPanel/WHM (CVE-2026-4194

    @shunyat1031

    6 Jun 2026

    109 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2026-41940 · 9.8 → 11.40 The Government Portal Just Became a Data Exfil Choke Point: CVE-2026-41940 Chains Into Custom Zero-Day, Exfiltrates 4.37GB Chinese Railway Secrets

    @lyrie_ai

    1 Jun 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. The Ghost Root: CVE-2026-41940 Gave Attackers Admin on 1.5 Million cPanel Servers — for Two Months Before Anyone Knew. A critical pre-authentication bypass in cPanel and WebHost Manager (WHM) — tracked as CVE-2026-41940 (CVSS 9.8) — gave unauthenticated attackers…

    @lyrie_ai

    1 Jun 2026

    99 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. The 44,000-Server Catastrophe: Sorry Ransomware Mass-Exploits cPanel CVE-2026-41940 in Real Time. A Go-based Linux ransomware named "Sorry" is actively exploiting the critical cPanel/WHM authentication bypass CVE-2026-41940, CVSS 9.8 across 44,000+ compromised cPanel…

    @lyrie_ai

    31 May 2026

    66 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. 📰 cPanel Zero-Day CVE-2026-41940: ช่องโหว่ร้ายแรงระดับ 9.8 ที่แฮกเกอร์ใช้มาแล้ว 2 เดือน https://t.co/pqbKhu7uEZ #Tech

    @kamtorn

    31 May 2026

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2026-41940 · 9.8 The Human Bottleneck in an Automated World: Why April 2026 Proved Speed Isn't The Problem

    @lyrie_ai

    27 May 2026

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Two CVSS 9.8+ cPanel exploits. Same month. Both in the wild. CVE-2026-41940: any user → admin. CVE-2026-48172 (CVSS 10.0): Redis toggle → root. Shared hosting's trust model: paper wall. 🎧 https://t.co/tgr316e8ez #cPanel #InfoSec

    @ZeroDay_Brief

    25 May 2026

    6 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Automated scanner & post-exploitation toolkit for CVE-2026-41940 — cPanel & WHM root authentication bypass via session-file CRLF injection here is the exploit POC: https://t.co/Jakt1IQ1Xl #bugbounty #cve #WHM #CVE202641940 #ZeroDay #AuthenticationBypass #PoC #Exploit

    @sardine_web

    24 May 2026

    188 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Top 5 Trending CVEs: 1 - CVE-2025-55182 2 - CVE-2016-5195 3 - CVE-2026-20223 4 - CVE-2026-41940 5 - CVE-2026-41089 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 May 2026

    322 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚪 cPanel CVE-2026-41940: exposed hosting panels become takeover paths CVE-2026-41940 shows how internet-exposed cPanel/WHM interfaces can turn into immediate attack surfaces. Criminal IP findings: • 2,954 internet-exposed cPanel assets • 147 cPanel interfaces exposed on

    @CriminalIP_US

    22 May 2026

    1256 Impressions

    10 Retweets

    14 Likes

    7 Bookmarks

    1 Reply

    0 Quotes

  14. 🔓 cPanel 인증 우회 취약점 (CVE-2026-41940)​ CVE-2026-41940은 cPanel & WHM에서 발생한 Critical 인증 우회 취약점입니다.​ 공격자는 외부에 노출된 관리 인터페이스를 찾아 인증 없이 접근을 시도하고, 이후 서버 장악

    @CriminalIP_KR

    22 May 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. cPanel の CVE-2026-41940 に関する注意事項:5月の脆弱性群との連鎖の可能性 https://t.co/lWIPPBX4sV Web サーバ管理ツール cPanel/WHM/WP Squared に見つかった、複数の深刻な脆弱性について解説する記事です。特に危険な C

    @iototsecnews

    21 May 2026

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2026-41940 cPanel weaponization caught ITW: full operator toolkit briefly exposed at 216[.]126[.]227[.]49. 45 files, 0/7 VT, live Flask C2 (Werkzeug + /login-2fa + 8888), 3 registrar org-ID locks. UTA-2026-011. https://t.co/gsf01vqdaR #ThreatIntelligence #CVE #DFIR

    @Hunters_Ledger

    18 May 2026

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 【cPanel CVE-2026-41940でFilemanagerバックドア配備】 cPanel/WHMに影響するCVE-2026-41940が、実際の攻撃で悪用されています。 この脆弱性は認証バイパスで、攻撃者がホスティング管理面に対して高い操作権限を得る可

    @01ra66it

    17 May 2026

    428 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 08:26 UTC: CVE-2026-41940 disclosed. MrRot13 is exploiting critical cPanel CVE-2026-41940 (CVSS 9.8) to deploy the "Filemanager" RAT. Learn how this 6-year

    @lyrie_ai

    17 May 2026

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  19. cPanel auth bypass (CVE-2026-41940) is being actively exploited. Ask your web host today if they have patched. #CyberSecurity #AusIT https://t.co/C5PVICUPd5

    @ALLITAustralia

    17 May 2026

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. #threatreport #LowCompleteness Sorry ransomware exploits cPanel authentication bypass | 15-05-2026 Source: https://t.co/QP9tu2ODmL Key details below ↓ 🎯Victims: Web servers, Linux servers, Web hosting 🏭Industry: Education, Healthcare 🔓CVEs: CVE-2026-41940 https://t.

    @rst_cloud

    16 May 2026

    98 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  21. CVE-2026-41940. CVE-2026-41940 added to CISA KEV: WebPros cPanel & WHM and WP2 (WordPress Squared)

    @lyrie_ai

    15 May 2026

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. New: India's shared hosting attack surface mapped. cPanel auth bypass (CVE-2026-41940), zero-day for 2 months, 2,100 Indian servers compromised. ProFTPD SQLi (CVE-2026-42167), is_escaped_text() defeated by PostgreSQL dollar-quoting. Pre-auth RCE. https://t.co/UkuCYzgIIR

    @pbreachlabs

    14 May 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Critical cPanel Auth Bypass CVE-2026-41940 Exploited by Thousands https://t.co/luNvj5EmCI The post Critical cPanel Auth Bypass CVE-2026-41940 Exploited by Thousands appeared first on Daily CyberSecurity. Related posts: Exploited in the Wild: PoC Released for cPanel CVE-2026-

    @f1tym1

    12 May 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Top 5 Trending CVEs: 1 - CVE-2026-6973 2 - CVE-2026-41940 3 - CVE-2026-43284 4 - CVE-2026-33634 5 - CVE-2026-42248 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    12 May 2026

    123 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨 THREAT INTEL | May 4, 2026 🔴 cPanel auth bypass (CVE-2026-41940) ACTIVELY EXPLOITED 🔴 ScreenConnect RCE (CVE-2024-1708) — 30+ live C2s 🔴 Cisco SD-WAN Emergency Directive 500+ live malware URLs | Mirai, Vidar, LummaStealer active #ThreatIntel #Cybersecurity #SOC ht

    @404LABSx

    4 May 2026

    145 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. Top 5 Trending CVEs: 1 - CVE-2026-31431 2 - CVE-2026-41940 3 - CVE-2026-3910 4 - CVE-2024-20359 5 - CVE-2024-20353 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    3 May 2026

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. CVE-2025-55182といいCVE-2026-41940といい、なんで俺はCriticalの脆弱性に見舞われるんだ?

    @hrktvl

    1 May 2026

    207 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  28. 🚨 THREAT INTEL | May 1, 2026 PATCH: CVE-2026-41940 cPanel (due May 3) + CVE-2024-1708 ConnectWise RCE ACTIVE: QakBot C2, Vidar, LummaStealer, 500+ malicious URLs NEW: Needle Stealer + PhantomRPC Windows LPE #CyberSecurity #Infosec https://t.co/kJ4xBBgQTp

    @404LABSx

    1 May 2026

    96 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Trend Micro Apex One (On-Premise) Directory Traversal VulnerabilityCVE-2026-34926
  2. LiteSpeed cPanel Plugin Privilege Escalation VulnerabilityCVE-2026-48172
  3. Drupal Core SQL Injection VulnerabilityCVE-2026-9082
  4. Microsoft Defender Denial of Service VulnerabilityCVE-2026-45498
  5. Microsoft Defender Link Following VulnerabilityCVE-2026-41091

References

Sources include official advisories and independent security research.