Source: Security.NL
A serious security vulnerability in cPanel and WHM is being actively exploited by attackers, according to Security.NL. Security updates became available on 28 April 2026, but exploitation reportedly began as early as 23 February 2026.
cPanel is a control panel used to manage individual hosting accounts. WHM (WebHost Manager) is the interface that hosting providers use to manage servers and create cPanel accounts. According to Security.NL, around 1.5 million cPanel installations are accessible from the internet.
The flaw, identified as CVE-2026-41940, is rated critical. It allows an attacker who is not logged in to bypass the login process entirely and gain administrator access to a server.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkTwo backdoors were discovered in the WordPress plugin 'Quick Page/Post Redirect', which has more than 70,000 active installations, with the malicious code reportedly added in 2021.
More than 44,000 cPanel and WHM installations have very likely been hacked via a new critical vulnerability identified as CVE-2026-41940, according to The Shadowserver Foundation.
According to Security.NL, the way it works is straightforward: before authentication takes place, the system writes a session file. An attacker can write arbitrary values into that file, such as claiming to be the root user, then reload the file to gain full access. No password is needed.
Several factors make this situation more pressing than a typical software update:
cPanel released a security update on 28 April 2026, along with detection scripts to help identify whether a system has already been compromised.
If your website runs on a hosting account managed through cPanel or WHM, the most important step is to contact your hosting provider and ask whether they have applied the security update for CVE-2026-41940. You do not need to understand the technical details to ask that question. If your hosting provider uses an end-of-life version of cPanel, ask them about their plans to move to a supported version.
You can also review our security checklist for small businesses for practical steps to keep your website protected.
If your website is hosted on a cPanel-based hosting account, your hosting provider is responsible for applying this patch, but it is worth checking with them directly. A compromised hosting account could give an attacker full control over your website, including access to customer data or the ability to alter your content. Staying in contact with your hosting provider during active security incidents like this one is a simple and sensible step.
The French DPA (CNIL) imposed a fine of 3.5 million euros on an unnamed French company on 30 December 2025, partly for using SHA-256 for password hashing instead of a more secure algorithm like…