Source: Security.NL
A serious security vulnerability in cPanel and WHM is being actively exploited by attackers, according to Security.NL. Security updates became available on 28 April 2026, but exploitation reportedly began as early as 23 February 2026.
cPanel is a control panel used to manage individual hosting accounts. WHM (WebHost Manager) is the interface that hosting providers use to manage servers and create cPanel accounts. According to Security.NL, around 1.5 million cPanel installations are accessible from the internet.
The flaw, identified as CVE-2026-41940, is rated critical. It allows an attacker who is not logged in to bypass the login process entirely and gain administrator access to a server.
According to Security.NL, the way it works is straightforward: before authentication takes place, the system writes a session file. An attacker can write arbitrary values into that file, such as claiming to be the root user, then reload the file to gain full access. No password is needed.
Several factors make this situation more pressing than a typical software update:
cPanel released a security update on 28 April 2026, along with detection scripts to help identify whether a system has already been compromised.
If your website runs on a hosting account managed through cPanel or WHM, the most important step is to contact your hosting provider and ask whether they have applied the security update for CVE-2026-41940. You do not need to understand the technical details to ask that question. If your hosting provider uses an end-of-life version of cPanel, ask them about their plans to move to a supported version.
You can also review our security checklist for small businesses for practical steps to keep your website protected.
If your website is hosted on a cPanel-based hosting account, your hosting provider is responsible for applying this patch, but it is worth checking with them directly. A compromised hosting account could give an attacker full control over your website, including access to customer data or the ability to alter your content. Staying in contact with your hosting provider during active security incidents like this one is a simple and sensible step.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkLet's Encrypt stopped issuing certificates for over two hours on the evening of 8 May 2026 due to an incident involving non-compliance with CCADB Policy rules.
The NCSC-NL advisory page for NCSC-2026-0152 returned only a redirect message with no substantive content.
The primary maintainer of the Axios npm library was compromised via a social engineering (ClickFix) attack, allowing attackers to publish malicious versions containing a remote access trojan.