CVE-2026-41940

Warning

Media report

Exploit

EPSS 67.01%
Published 29.04.2026 15:10:37
Last modified 04.05.2026 18:09:42
Source disclosure@vulncheck.com
CVE watchlists
Login
Open
Login

WebPros cPanel and WHM Authentication Bypass via Login Flow

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Affected products Warnungen 1 Metrics 3 CWE 1 References 21

NVD 19 VulnDex Vulnerability Enrichment 2

Data is provided by the National Vulnerability Database (NVD)

Cpanel ≫ Cpanel Version >= 11.40 < 86.0.41

Cpanel ≫ Cpanel Version >= 88.0.0 < 110.0.97

Cpanel ≫ Cpanel Version >= 112.0.0 < 118.0.63

Cpanel ≫ Cpanel Version >= 120.0.0 < 124.0.35

Cpanel ≫ Cpanel Version >= 126.0.1 < 126.0.54

Cpanel ≫ Cpanel Version >= 128.0.0 < 130.0.19

Cpanel ≫ Cpanel Version >= 132.0.0 < 132.0.29

Cpanel ≫ Cpanel Version >= 134.0.0 < 134.0.20

Cpanel ≫ Cpanel Version >= 136.0.0 < 136.0.5

Cpanel ≫ Whm Version >= 11.40 < 86.0.41

Cpanel ≫ Whm Version >= 88.0.0 < 110.0.97

Cpanel ≫ Whm Version >= 112.0.0 < 118.0.63

Cpanel ≫ Whm Version >= 120.0.0 < 124.0.35

Cpanel ≫ Whm Version >= 126.0.1 < 126.0.54

Cpanel ≫ Whm Version >= 128.0.0 < 130.0.19

Cpanel ≫ Whm Version >= 132.0.0 < 132.0.29

Cpanel ≫ Whm Version >= 134.0.0 < 134.0.20

Cpanel ≫ Whm Version >= 136.0.0 < 136.0.5

Cpanel ≫ Wp Squared SwPlatformwordpress Version < 136.1.7

VulnDex Vulnerability Enrichment

This information is available to logged-in users.

30.04.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

Vulnerability

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metrics
Type	Source	Score	percentile
EPSS	FIRST.org	67.01%	0.986

CVSS Metrics
Source	Base Score	Exploit Score	Impact Score	Vector string
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html

Media Report

https://www.heise.de/news/Sicherheitspatch-Abermals-Sicherheitsluecken-in-cPanel-und-WHM-geschlossen-11288962.html

Media Report

https://thehackernews.com/2026/05/cpanel-whm-patch-3-new-vulnerabilities.html

Media Report

https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html

Media Report

https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html

Media Report

https://www.heise.de/news/cPanel-WHM-Bereits-4000-Instanzen-in-Deutschland-attackiert-11279829.html

Media Report