1,125 CVEs Published: Auth Bypass in cPanel Actively Exploited (KEV)

Apr 27 - May 04, 2026

Total CVEs

1125

Critical + High

460

KEV

Public Exploits

219

Executive Summary

Overview

During the reporting period of April 27 to May 4, 2026, vuln.today data recorded 1,125 published CVEs, representing a 21% decrease from the previous week's total of 1,427 CVEs. Severity distribution: 65 CRITICAL, 395 HIGH, 392 MEDIUM, 168 LOW, and 105 UNKNOWN. The dataset includes 1 CISA KEV entry, 219 CVEs with public exploit code or proof-of-concept availability, and 467 CVEs with available patches. A total of 274 CRITICAL or HIGH severity vulnerabilities remain unpatched.

Critical Threats

CVE-2026-41940 (CRITICAL, CVSS 9.3): Authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5, confirmed actively exploited (CISA KEV). Public exploit code available. EPSS score of 16.5% indicates elevated probability of exploitation. Patch available per vendor advisory. Action: Patch: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
CVE-2026-41462 (CRITICAL, CVSS 9.3): Unauthenticated SQL injection vulnerability in ProjeQtor versions 7.0 through 12.4.3, affecting the login functionality. Public exploit code available. No vendor-released patch identified at time of analysis.
CVE-2025-71284 (CRITICAL, CVSS 9.3): Remote code execution in Synway SMG Gateway Management Software via command injection in the RADIUS configuration endpoint at /en/9-2radius.php. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all instances of Synway SMG Gateway Management Software in your environment and isolate affected systems from production networks if possible; block internet-facing access to
CVE-2026-27760 (CRITICAL, CVSS 9.2): Remote code execution in OpenCATS installer via PHP code injection in the AJAX endpoint's databaseConnectivity action parameter. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: identify all OpenCATS instances in your environment and verify installation status (prioritize any incomplete installations). Within 7 days: apply vendor patch (GitHub commit 3002a29
CVE-2026-7155 (HIGH, CVSS 8.9): OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 affecting the setLoginPasswordCfg function in /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis.
CVE-2026-7538 (HIGH, CVSS 8.9): OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 via the 'proto' parameter in /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Totolik A8000RU devices running firmware version 7.1cu.643_b20200521 using network scanning tools; immediately isolate affected devices from internet-facing
CVE-2026-7240 (HIGH, CVSS 8.9): OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 via the User parameter in the setVpnAccountCfg function of /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A8000RU devices on your network and document firmware versions; immediately isolate any running 7.1cu.643_b20200521 from production networks or internet access. W
CVE-2026-32644 (CRITICAL): Linked threat intelligence present in vuln.today data.
CVE-2026-20766 (HIGH): Linked threat intelligence present in vuln.today data.
CVE-2026-27785 (HIGH): Linked threat intelligence present in vuln.today data.
CVE-2026-3893 (CRITICAL): Linked threat intelligence present in vuln.today data.
CVE-2026-32649 (HIGH): Linked threat intelligence present in vuln.today data.

Threat Landscape

The top affected vendors include Linux (157 CVEs), WordPress (58), Google (45), Microsoft (36), and Apache (27). Tenda and IBM follow with 18 and 16 CVEs respectively. Attack technique distribution shows Information Disclosure as the most prevalent (250 occurrences), followed by Denial of Service (192), Buffer Overflow (153), and Authentication Bypass (151). Remote Code Execution, SQL Injection, and Cross-Site Scripting techniques each appear in 91, 88, and 84 CVEs respectively. Of the 1,125 total CVEs, 467 have patches available, representing approximately 42% patch coverage. The 274 unpatched CRITICAL or HIGH severity vulnerabilities constitute 60% of the combined 460 CRITICAL and HIGH severity CVEs.

Key Trends

Total CVE publication volume decreased 21% week-over-week, from 1,427 to 1,125 CVEs. Linux accounts for 14% of all vendor-attributed CVEs in the dataset, followed by WordPress at 5%. Information Disclosure and Denial of Service techniques together represent 39% of all attack techniques observed. Public exploit code or proof-of-concept availability affects 219 CVEs (19% of total volume). The single CISA KEV entry represents 1.5% of the 65 CRITICAL severity CVEs published during the period.

Recommendations

CVE-2026-41940: Apply patch from https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
CVE-2025-71284: Within 24 hours: Identify all instances of Synway SMG Gateway Management Software in your environment and isolate affected systems from production networks if possible; block internet-facing access to
CVE-2026-27760: Within 24 hours: identify all OpenCATS instances in your environment and verify installation status (prioritize any incomplete installations). Within 7 days: apply vendor patch (GitHub commit 3002a29
CVE-2026-7538: Within 24 hours: Identify and inventory all Totolik A8000RU devices running firmware version 7.1cu.643_b20200521 using network scanning tools; immediately isolate affected devices from internet-facing
CVE-2026-7240: Within 24 hours: Identify all Totolik A8000RU devices on your network and document firmware versions; immediately isolate any running 7.1cu.643_b20200521 from production networks or internet access. W
Prioritize remediation for the 1 CISA KEV entry and the 219 CVEs with public exploit code.
Address the 274 unpatched CRITICAL or HIGH severity vulnerabilities through compensating controls such as network segmentation, access restrictions, and enhanced monitoring until vendor patches become available.
Review the 5 CVEs with linked threat intelligence (CVE-2026-32644, CVE-2026-20766, CVE-2026-27785, CVE-2026-3893, CVE-2026-32649) for additional context on attacker methods and indicators of compromise.

Top 10 Priority CVEs

133

CVE-2026-41940 CRITICAL KEV POC

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

CVE-2026-41462 CRITICAL POC

ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.

CVE-2025-71284 CRITICAL POC

Remote code execution in Synway SMG Gateway Management Software allows unauthenticated attackers to execute arbitrary OS commands via command injection in the RADIUS configuration endpoint. The vulnerability exploits unsanitized POST parameters (radius_address, radius_address2, shared_secret2, source_ip, timeout, retry) that are directly interpolated into sed commands at /en/9-2radius.php. Shadowserver Foundation confirmed active exploitation beginning July 11, 2025, with publicly available exploit code and Nuclei templates enabling widespread automated attacks. CVSS 9.3 critical severity reflects the combination of network accessibility, zero authentication requirements, and complete system compromise potential.

CVE-2026-27760 CRITICAL POC

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by manipulating the AJAX endpoint's databaseConnectivity action parameter. The injected code persists in config.php and executes on every page load while the installation wizard remains incomplete. Publicly available exploit code demonstrates breakout from define() string context using quote and statement separator techniques. Patch available via GitHub commit 3002a29, though CVSS AC:H (high complexity) suggests exploitation requires specific timing or environmental conditions during installation phase.

CVE-2026-7155 HIGH POC

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

CVE-2026-7538 HIGH POC

OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'proto' parameter in /cgi-bin/cstecgi.cgi CGI handler. A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier for exploitation. CVSS 8.9 with network vector, low complexity, and no authentication requirements makes this immediately exploitable against internet-facing devices running the vulnerable firmware version.

CVE-2026-7240 HIGH POC

OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the User parameter in the setVpnAccountCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub POC), enabling immediate weaponization. CVSS 8.9 with full impact on confidentiality, integrity, and availability. EPSS data unavailable; not currently in CISA KEV, but the combination of network accessibility, no authentication requirement, and public exploit makes this a critical risk for internet-facing devices.

CVE-2026-7154 HIGH POC

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument tty_server can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

CVE-2026-7138 HIGH POC

A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setNtpCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tz results in os command injection. The attack can be executed remotely. The exploit is now public and may be used.

CVE-2026-7137 HIGH POC

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

Previous Week Next Week