Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Articles & Coverage 8
AnalysisAI
Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.
Technical ContextAI
cPanel & WHM is a widely deployed Linux-based web hosting control panel that provides administrators and resellers with a web UI (cPanel for end users, WHM for hosting administrators) to manage domains, email, databases, DNS, and server configuration. The root cause is CWE-306 (Missing Authentication for Critical Function), meaning the login flow fails to properly enforce authentication on a code path that should require valid credentials. WP Squared, cPanel's managed WordPress offering, shares the same vulnerable code path. Because cPanel/WHM typically runs with high privileges on shared hosting servers and exposes its management interfaces on TCP ports 2082-2087, an authentication bypass effectively grants attackers administrative control of the hosting stack.
RemediationAI
Apply the vendor-released patch immediately by upgrading to one of the fixed versions appropriate to your release train: cPanel & WHM 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, and WP Squared 11.136.1.7. Most cPanel installations are configured for automatic updates via upcp, so verify that auto-update is enabled and that the host has actually picked up the patched build (check /var/cpanel/version and the cPanel Tweak Settings update tier). Until patched, restrict network access to the cPanel/WHM management ports (2082, 2083, 2086, 2087, and the Webmail ports 2095/2096) to known administrator IPs via firewall or a reverse proxy ACL - this breaks remote login for anyone outside the allowlist, so coordinate with resellers and customer support before deploying. After patching, audit authentication logs (/usr/local/cpanel/logs/access_log, login_log) and reseller activity for signs of prior compromise given the confirmed in-the-wild exploitation, and rotate WHM root, reseller, and cPanel user credentials plus API tokens.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26246