Public Exploit Code Raises Urgency Around Critical cPanel and WHM Vulnerability
5 min. read 
Published on
A critical cPanel and WHM vulnerability tracked as CVE-2026-41940 is now an urgent patching priority after public exploit code appeared and active attacks were reported in the wild. The flaw allows unauthenticated remote attackers to bypass login controls and gain unauthorized access to affected control panels.
cPanel released emergency fixes on April 28, 2026, for cPanel and WHM, DNSOnly, and WP Squared. The company says the issue affects cPanel software versions after 11.40, which means old and pinned installations need immediate review.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The vulnerability carries a CVSS score of 9.8 and has also landed in CISA’s Known Exploited Vulnerabilities catalog. CISA lists the issue as a missing authentication flaw affecting WebPros cPanel and WHM and WP2, with required remediation due by May 3, 2026, for covered federal systems.
Why CVE-2026-41940 matters
cPanel and WHM sit at the center of many hosting environments. WHM gives administrators server-level control, while cPanel lets individual users manage websites, email, files, databases, and related services.
If an attacker gains administrative access through this bug, one compromised server can put many hosted websites and customer accounts at risk. That makes the flaw especially dangerous for shared hosting providers and agencies managing multiple client sites.
Rapid7 says successful exploitation can give attackers control over the cPanel host system, its configurations, databases, and hosted websites. The firm also noted that a broad Shodan query showed about 1.5 million internet-exposed cPanel instances that may need review.
At a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-41940 |
| Affected products | cPanel and WHM, DNSOnly, and WP Squared |
| Severity | Critical, CVSS 9.8 |
| Issue type | Authentication bypass |
| Attack status | Exploited in the wild, with public technical analysis and exploit code available |
| Main risk | Unauthorized administrative access to hosting control panels |
Public exploit details increase the risk
The vulnerability is linked to how cPanel handles login sessions and saved session data. In simple terms, attackers can abuse a session-handling weakness to make the system treat them as authenticated without valid credentials.
Security researchers have published technical analysis and proof-of-concept exploit code, which increases the chance of wider scanning and copycat attacks. Some reports have also described a weaponized exploit framework called cPanelSniper.
Administrators should avoid treating this as a theoretical risk. KnownHost and other security reporting cited by Rapid7 said exploitation was already observed before public disclosure, with possible zero-day activity dating back to late February 2026.
Attack activity is already visible
The Shadowserver Foundation warned about ongoing CVE-2026-41940 attack activity and reported at least 44,000 IPs linked to attacks, scanning, or related traffic against its sensors. That figure should not be read as confirmed compromised servers, but it does show broad attacker interest.
Once attackers gain access to a hosting control panel, they can do more than deface a site. They may create new accounts, steal files, access databases, change DNS or email settings, deploy malware, or prepare ransomware activity.
This explains why hosting providers moved quickly after disclosure. Some providers temporarily restricted access to cPanel and WHM ports while applying patches across customer infrastructure.
Fixed versions admins should install
| Product branch | Fixed version |
|---|---|
| cPanel and WHM 11.86 | 11.86.0.41 |
| cPanel and WHM 11.110 | 11.110.0.97 |
| cPanel and WHM 11.124 | 11.124.0.35 |
| cPanel and WHM 11.126 | 11.126.0.54 |
| cPanel and WHM 11.130 | 11.130.0.19 |
| cPanel and WHM 11.132 | 11.132.0.29 |
| cPanel and WHM 11.134 | 11.134.0.20 |
| cPanel and WHM 11.136 | 11.136.0.5 |
| WP Squared | 136.1.7 |
What administrators should do now
cPanel tells customers to update affected servers immediately. Servers with disabled updates or pinned update tiers need manual attention because they may not receive the patch automatically.
Admins should also verify the installed build after updating and restart the cPanel service. If a server cannot be updated right away, cPanel recommends blocking inbound traffic to ports 2083, 2087, 2095, and 2096, or stopping the affected services until remediation can happen.
Security teams should also treat patching as only the first step. Any exposed server should receive a compromise review because exploitation may have started before patches became available.
Recommended checks after patching
- Confirm the installed cPanel and WHM version matches a fixed build.
- Review WHM and cPanel access logs for unusual login activity.
- Audit recent account creation, privilege changes, and API token activity.
- Check web roots for unknown files, web shells, redirects, and modified scripts.
- Rotate administrator passwords, API tokens, SSH keys, and database credentials where compromise is suspected.
- Review firewall rules and restrict access to WHM and cPanel ports where possible.
- Run vendor-provided detection guidance and follow any updated cPanel instructions.
Why hosting providers face the highest pressure
This vulnerability creates a wider blast radius than many normal web application bugs. A single vulnerable WHM instance can manage many accounts, domains, databases, and mailboxes.
For hosting companies, that means one missed patch can affect many customers. For website owners, it means they may depend on their hosting provider’s patching speed, even if their own WordPress, CMS, or application is fully updated.
Anyone using managed hosting should ask the provider whether the affected cPanel and WHM versions were patched, whether logs were reviewed, and whether any temporary access restrictions were applied during remediation.
FAQ
CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM, DNSOnly, and WP Squared. It can allow unauthenticated remote attackers to gain unauthorized administrative access.
cPanelSniper has been described in security reports as a weaponized exploit framework targeting CVE-2026-41940. The most important point for defenders is that public exploit code and technical analysis are now available, which increases attack risk.
Security reporting cited by Rapid7 says exploitation was observed before public disclosure, with possible activity dating back to late February 2026.
Fixed cPanel and WHM builds include 11.86.0.41, 11.110.0.97, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5. WP Squared is fixed in version 136.1.7.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages