Alerts
Active Exploitation of Critical Vulnerability in cPanel, WebHost Manager (WHM) and WordPress Squared (WP2)
4 May 2026
cPanel has released security updates to address a critical vulnerability in cPanel, WebHost Manager (WHM) and Wordpress Squared (WP2). Users and administrators of affected products are advised to update to the latest versions immediately.
Background
cPanel has released security updates to address a critical authentication bypass vulnerability (CVE-2026-41940) affecting cPanel, WebHost Manager (WHM) and WordPress Squared (WP2) - a management panel for WordPress hosting built on cPanel. This vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.
Impact
The vulnerability arises from insufficient session handling within cPanel, WHM and WP2. User-controlled input derived from the authorisation header is written into server-side session files before authentication occurs and without proper sanitisation.
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to bypass authentication and gain unauthorised administrative access to the affected systems, potentially enabling the attacker to take full control of hosted websites, databases, email accounts, and server configurations.
Known Exploitation
This vulnerability is being actively exploited in the wild. A proof of concept is publicly available.
Affected Products
This vulnerability affects products:
cPanel/WHM versions prior to 11.136.0.7
WP2 versions prior to 136.1.7
Mitigation
Users and administrators of affected products are advised to update to the latest versions immediately. In cases where immediate patching is not feasible, administrators should consider either restricting external connectivity to ports 2083, 2087, 2095, and 2096, or stopping the cpsrvd and cpdavd cPanel internal core services.
References