CVE-2026-41940 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 98%

Affected Products (NVD)

Vendor	Product	Version
cpanel	cpanel	11.40 ≤ 𝑥 < 86.0.41
cpanel	cpanel	88.0.0 ≤ 𝑥 < 110.0.97
cpanel	cpanel	112.0.0 ≤ 𝑥 < 118.0.63
cpanel	cpanel	120.0.0 ≤ 𝑥 < 124.0.35
cpanel	cpanel	126.0.1 ≤ 𝑥 < 126.0.54
cpanel	cpanel	128.0.0 ≤ 𝑥 < 130.0.19
cpanel	cpanel	132.0.0 ≤ 𝑥 < 132.0.29
cpanel	cpanel	134.0.0 ≤ 𝑥 < 134.0.20
cpanel	cpanel	136.0.0 ≤ 𝑥 < 136.0.5
cpanel	whm	11.40 ≤ 𝑥 < 86.0.41
cpanel	whm	88.0.0 ≤ 𝑥 < 110.0.97
cpanel	whm	112.0.0 ≤ 𝑥 < 118.0.63
cpanel	whm	120.0.0 ≤ 𝑥 < 124.0.35
cpanel	whm	126.0.1 ≤ 𝑥 < 126.0.54
cpanel	whm	128.0.0 ≤ 𝑥 < 130.0.19
cpanel	whm	132.0.0 ≤ 𝑥 < 132.0.29
cpanel	whm	134.0.0 ≤ 𝑥 < 134.0.20
cpanel	whm	136.0.0 ≤ 𝑥 < 136.0.5
cpanel	wp_squared	𝑥 < 136.1.7

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Vulnerability Media Exposure

[ENGLISH] First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed
Exploitation was underway before patches landed, at least one victim reports ransomware demand
Published: 2026-05-01T15:10:15+02:00
[ENGLISH] cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result
Published: 2026-05-09T12:46:00+05:30
[GERMAN] Sicherheitspatch: Abermals Sicherheitslücken in cPanel und WHM geschlossen
Angreifer können cPanel und WebHost Manager unter anderem mit Schadcode attackieren. Sicherheitspatches sind verfügbar.
Published: 2026-05-11T07:15:00+00:00
[ENGLISH] cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control
Published: 2026-05-11T23:24:00+05:30

References

https://docs.cpanel.net/release-notes/release-notes

https://docs.wpsquared.com/changelogs/versions/changelog/#13617

https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026

https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026

https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow

https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/

https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/

https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940