CVE-2026-41940

CRITICALCISA KEV

9.8

Beschreibung

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht4/29/2026

Zuletzt geandert4/30/2026

Quellenvd

Honeypot-Sichtungen0

CISA KEV

HerstellerWebPros

ProduktcPanel & WHM and WP2 (WordPress Squared)

SchwachstellennameWebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

KEV Aufnahmedatum2026-04-30

Behebungsfrist2026-05-03

Ransomware-NutzungUnknown

Betroffene Produkte

cpanel:cpanelcpanel:whmcpanel:wp_squared

Schwachen (CWE)

CWE-306

Referenzen

https://docs.cpanel.net/release-notes/release-notes(disclosure@vulncheck.com)

https://docs.wpsquared.com/changelogs/versions/changelog/#13617(disclosure@vulncheck.com)

https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026(disclosure@vulncheck.com)

https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow(disclosure@vulncheck.com)

https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.