CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-41940

CVSS 9.3v4.0pub. 2026-04-29upd. 2026-05-04

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Cpanel

    APP
    Cpanel
    11.40 – 86.0.41 (bez)88.0.0 – 110.0.97 (bez)112.0.0 – 118.0.63 (bez)120.0.0 – 124.0.35 (bez)126.0.1 – 126.0.54 (bez)128.0.0 – 130.0.19 (bez)132.0.0 – 132.0.29 (bez)134.0.0 – 134.0.20 (bez)136.0.0 – 136.0.5 (bez)
  • Cpanel Whm

    APP
    Cpanel
    11.40 – 86.0.41 (bez)88.0.0 – 110.0.97 (bez)112.0.0 – 118.0.63 (bez)120.0.0 – 124.0.35 (bez)126.0.1 – 126.0.54 (bez)128.0.0 – 130.0.19 (bez)132.0.0 – 132.0.29 (bez)134.0.0 – 134.0.20 (bez)136.0.0 – 136.0.5 (bez)
  • Cpanel Wp Squared

    APP
    Cpanel
    < 136.1.7

CISA KEV — detailsi

Vendori
WebPros
Producti
cPanel & WHM and WP2 (WordPress Squared)
Added to KEVi
April 30, 2026
Remediation deadline (US Federal)i
May 3, 2026(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 3 maja 2026
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2020-26101CRITICAL9.8ten sam produkt

In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).

CVE-2020-26105CRITICAL9.8ten sam produkt

In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).

CVE-2020-26098CRITICAL9.8ten sam produkt

cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).

CVE-2020-26100CRITICAL9.8ten sam produkt

chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).

CVE-2020-26108CRITICAL9.8ten sam produkt

cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).