CVE-2026-41940

Warnung

Medienbericht

Exploit

EPSS 26.55%
Veröffentlicht 29.04.2026 15:10:37
Zuletzt bearbeitet 04.05.2026 18:09:42
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

WebPros cPanel and WHM Authentication Bypass via Login Flow

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 18

NVD 19 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cpanel ≫ Cpanel Version >= 11.40 < 86.0.41

Cpanel ≫ Cpanel Version >= 88.0.0 < 110.0.97

Cpanel ≫ Cpanel Version >= 112.0.0 < 118.0.63

Cpanel ≫ Cpanel Version >= 120.0.0 < 124.0.35

Cpanel ≫ Cpanel Version >= 126.0.1 < 126.0.54

Cpanel ≫ Cpanel Version >= 128.0.0 < 130.0.19

Cpanel ≫ Cpanel Version >= 132.0.0 < 132.0.29

Cpanel ≫ Cpanel Version >= 134.0.0 < 134.0.20

Cpanel ≫ Cpanel Version >= 136.0.0 < 136.0.5

Cpanel ≫ Whm Version >= 11.40 < 86.0.41

Cpanel ≫ Whm Version >= 88.0.0 < 110.0.97

Cpanel ≫ Whm Version >= 112.0.0 < 118.0.63

Cpanel ≫ Whm Version >= 120.0.0 < 124.0.35

Cpanel ≫ Whm Version >= 126.0.1 < 126.0.54

Cpanel ≫ Whm Version >= 128.0.0 < 130.0.19

Cpanel ≫ Whm Version >= 132.0.0 < 132.0.29

Cpanel ≫ Whm Version >= 134.0.0 < 134.0.20

Cpanel ≫ Whm Version >= 136.0.0 < 136.0.5

Cpanel ≫ Wp Squared SwPlatformwordpress Version < 136.1.7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

30.04.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

Schwachstelle

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	26.55%	0.964

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html

Media Report

https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html

Media Report

https://www.heise.de/news/cPanel-WHM-Bereits-4000-Instanzen-in-Deutschland-attackiert-11279829.html

Media Report

https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/

Media Report

https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/

Media Report

https://www.heise.de/news/cPanel-WHM-Unbefugte-Zugriffe-auf-Webserver-Konfigurationstool-moeglich-11277580.html

Media Report