๐Ÿ” CVE Alert

CVE-2026-41940

CRITICAL 9.8 โš ๏ธ CISA KEV

WebPros cPanel and WHM Authentication Bypass via Login Flow

CVSS Score
9.8
EPSS Score
26.6%
EPSS Percentile
96th

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CWE CWE-306
Vendor webpros
Product cpanel
Published Apr 29, 2026
Last Updated May 6, 2026
โš ๏ธ Actively Exploited โ€” Act Now

Get instant alerts for webpros cpanel

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2026-41940.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

WebPros / cPanel
11.40.0.0 < 11.86.0.41 11.88.0.0 < 11.94.0.28 11.96.0.0 < 11.102.0.39 11.104.0.0 < 11.110.0.97 11.112.0.0 < 11.118.0.63 11.120.0.0 < 11.124.0.35 11.126.0.0 < 11.126.0.54 11.128.0.0 < 11.130.0.19 11.132.0.0 < 11.132.0.29 11.134.0.0 < 11.134.0.20 11.136.0.0 < 11.136.0.5
WebPros / WP Squared
All versions affected
WebPros / WHM
11.40.0.0 < 11.86.0.41 11.88.0.0 < 11.94.0.28 11.96.0.0 < 11.102.0.39 11.104.0.0 < 11.110.0.97 11.112.0.0 < 11.118.0.63 11.120.0.0 < 11.124.0.35 11.126.0.0 < 11.126.0.54 11.128.0.0 < 11.130.0.19 11.132.0.0 < 11.132.0.29 11.134.0.0 < 11.134.0.20 11.136.0.0 < 11.136.0.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
support.cpanel.net: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 docs.cpanel.net: https://docs.cpanel.net/release-notes/release-notes docs.wpsquared.com: https://docs.wpsquared.com/changelogs/versions/changelog/#13617 namecheap.com: https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026 vulncheck.com: https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow github.com: https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940 bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/ labs.watchtowr.com: https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/