Critical cPanel & WHM Bug CVE-2026-41940 Is Being Exploited

by Emma Davis
May 4, 2026

cPanel disclosed CVE-2026-41940 on April 28, 2026. Two days later, CISA added it to the Known Exploited Vulnerabilities catalog, and on May 1, 2026 Australia’s ACSC said it was aware of active exploitation in the wild.[1][4][5][6] For hosting providers, this is a patch-now issue: the bug allows unauthenticated remote attackers to bypass login in cPanel & WHM and reach the management plane.

Satirical cartoon showing an intruder bypassing the front desk and entering a hosting control room
No dramatic break-in was needed. The side door was open, and the guard was busy winning a nap contest.

According to cPanel, the flaw affects all versions after 11.40.[1] Public technical analysis from watchTowr and the NVD references show exploit material is already available, which sharply raises the risk for internet-exposed panels.[2][3] Because cPanel and WHM sit in front of websites, mail, DNS, account provisioning, and reseller administration, one successful compromise can spill far beyond a single login.

By May 2, 2026, the exploitation picture had become more concrete. CtrlAltIntel said the bug was being used by an actor targeting government and military entities in Southeast Asia, along with telecoms, MSPs, universities, and hosting providers in several countries, while Censys said that within 24 hours of disclosure it saw both Mirai botnet activity and a “Sorry” ransomware wave hitting exposed cPanel hosts.[7][8]

This is not just another control panel bug. It is a direct hit on the hosting control plane.

Patch now

cPanel says administrators should update immediately with /scripts/upcp --force, verify the installed build, and restart cpsrvd after the upgrade.[1] The vendor lists fixed builds across supported tiers, including 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5.[1]

The highest-risk targets are public-facing shared hosting panels, reseller infrastructure, and management interfaces that were left reachable from the open internet. If you run cPanel or WHM for customers, this is the kind of bug where delaying the update, missing one tier, or skipping the service restart is how a routine patch window turns into an incident.

References

  1. cPanel. Security: CVE-2026-41940 – cPanel & WHM / WP2 Security Update 04/28/2026.
  2. watchTowr Labs. The Internet Is Falling Down, Falling Down, Falling Down.
  3. NVD. CVE-2026-41940.
  4. Canadian Centre for Cyber Security. cPanel security advisory (AV26-404) – Update 1.
  5. Cyber.gov.au. Active exploitation of cPanel/WHM critical vulnerability.
  6. CISA. Known Exploited Vulnerabilities Catalog entry for CVE-2026-41940.
  7. CtrlAltIntel. SEA Under Attack: A Critical cPanel Zero-Day and a Focused Adversary.
  8. Censys. The cPanel situation is unchanged. It is bad.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment