CVE-2026-41940

CRITICALCISA KEV

9.8

Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie4/29/2026

Derniere modification4/30/2026

Sourcenvd

Observations honeypot0

CISA KEV

FournisseurWebPros

ProduitcPanel & WHM and WP2 (WordPress Squared)

Nom vulnerabiliteWebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

Date ajout KEV2026-04-30

Date limite remediation2026-05-03

Utilise dans ransomwareUnknown

Produits affectes

cpanel:cpanelcpanel:whmcpanel:wp_squared

Faiblesses (CWE)

CWE-306

References

https://docs.cpanel.net/release-notes/release-notes(disclosure@vulncheck.com)

https://docs.wpsquared.com/changelogs/versions/changelog/#13617(disclosure@vulncheck.com)

https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026(disclosure@vulncheck.com)

https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow(disclosure@vulncheck.com)

https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.