Critical cPanel authentication bypass CVE-2026-41940 exploited in wild since February before April patch

CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM with a CVSS score of 9.8, was exploited in the wild for approximately two months before a patch was released on April 28, 2026. The flaw allows unauthenticated remote attackers to gain full admin access to cPanel & WHM hosting control panels. Shodan identified roughly 1.5 million internet-exposed cPanel instances at risk. cPanel issued emergency patches across seven version branches (11.110.0 through 11.136.0). CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, giving federal agencies until mid-May to remediate. Major hosting providers including Namecheap, KnownHost, HostPapa, and InMotion preemptively blocked TCP/2083 and TCP/2087 ports. The incident underscores the exposure surface of widely deployed shared hosting infrastructure and the delays between exploitation and disclosure in the web hosting ecosystem.