Source: Security.NL
A serious security vulnerability in cPanel and WHM software is currently being actively exploited, and the scale of the problem is significant. If your website runs on a hosting account managed through cPanel, this is worth paying attention to.
According to The Shadowserver Foundation, more than 44,000 cPanel and WHM installations have very likely been compromised via a critical vulnerability identified as CVE-2026-41940. The Shadowserver Foundation is a non-profit organisation that monitors vulnerable systems on the internet. Security.NL reported on this on 1 May 2026.
The vulnerability is described as an authentication bypass flaw. According to the Australian Cyber Security Centre (ACSC), this means attackers who are not logged in can still gain remote access to the control panel and execute code on the server. In plain terms: someone outside your hosting environment could potentially take control of it without needing a password.
Both the ACSC and the US Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that active exploitation is taking place.
According to The Shadowserver Foundation, at least 650,000 cPanel installations are accessible from the internet. Of those, nearly 13,000 are located in the Netherlands. The foundation identified the 44,000 figure by observing IP addresses of cPanel installations scanning their monitoring systems, though it is important to note this number represents installations that are "very likely" compromised, not confirmed cases.
Updates to address CVE-2026-41940 have reportedly been available since 28 April 2026. According to Security.NL, some parties report that exploitation may have been occurring since 23 February 2026, though the source of this claim is not specified.
If you manage your own server or hosting environment using cPanel or WHM, contact your hosting provider or system administrator immediately and ask whether the update for CVE-2026-41940 has been applied. If you use shared hosting, your provider is likely responsible for applying server-level updates, but it is still worth asking for confirmation.
For a broader overview of security steps relevant to small business websites, see our security checklist for small businesses. If your site also runs WordPress, it is worth reviewing our guide on vulnerable WordPress plugins as well.
If your website is hosted on a server running cPanel or WHM, your hosting environment could be at risk if the available update has not been applied. A compromised hosting account can affect your website, your customer data and your email. Contact your hosting provider to confirm that your server software is up to date.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkA new vulnerability (CVE-2026-29202) in cPanel and WHM allows an authenticated attacker to execute arbitrary Perl code on the underlying machine.
The UK National Cyber Security Centre (NCSC) warned organisations and users about an unprecedented wave of vulnerabilities driven by AI tools capable of finding and exploiting security flaws at scale.
An NCSC-NL advisory page (NCSC-2026-0134) was accessed but only returned a redirect message with no substantive content.