Which versions of cPanel & WHM are affected by CVE-2026-41940?

A critical authentication bypass in cPanel & WHM (CVE-2026-41940) is being actively exploited by threat actors according to CISA, enabling unauthorized access to hosting control panels without valid…. A patch is available.

Is there a public PoC exploit available for CVE-2026-41940?

Yes, a public proof-of-concept exploit is available for CVE-2026-41940. Prioritise patching immediately. EPSS: 16.5%.

How to fix or mitigate CVE-2026-41940?

Within 24 hours: Identify and inventory all cPanel & WHM deployments and their current versions. Within 7 days: Apply vendor-released patches to all affected installations per cPanel's official security advisory. Within 30 days: Review cPanel authentication logs for unauthorized access attempts and implement additional hardening controls such as IP whitelisting and enhanced monitoring.

cPanel & WHM CVE-2026-41940

Q: What is the CVSS score of CVE-2026-41940?

CVE-2026-41940 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 16.5%.

EUVD-2026-26246 CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-04-29 VulnCheck

Authentication Bypass

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Added to CISA KEV

May 04, 2026 - 18:09 cisa

CISA KEV

PoC Detected

May 04, 2026 - 18:09 vuln.today

Public exploit code

Started Trending

Apr 30, 2026 - 18:00 vuln.today

12.0

Added to CISA KEV

Apr 30, 2026 - 17:02 CISA

CVSS changed

Apr 29, 2026 - 16:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

EUVD ID Assigned

Apr 29, 2026 - 15:30 euvd

EUVD-2026-26246

Patch released

Apr 29, 2026 - 15:30 nvd

Patch available

CVE Published

Apr 29, 2026 - 15:10 nvd

CRITICAL 9.3

DescriptionNVD

cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

AnalysisAI

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. …

RemediationAI

Within 24 hours: Identify and inventory all cPanel & WHM deployments and their current versions. Within 7 days: Apply vendor-released patches to all affected installations per cPanel's official security advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41940 vulnerability details – vuln.today

Back

cPanel & WHM CVE-2026-41940

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

cPanel & WHM CVE-2026-41940

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code