← Voltar para CVEs
CVE-2026-41940
CRITICALCISA KEV9.8
Descricao
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado4/29/2026
Ultima modificacao4/30/2026
Fontenvd
Avistamentos honeypot0
CISA KEV
FornecedorWebPros
ProdutocPanel & WHM and WP2 (WordPress Squared)
Nome da vulnerabilidadeWebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Data inclusao KEV2026-04-30
Prazo de remediacao2026-05-03
Uso em ransomwareUnknown
Produtos afetados
cpanel:cpanelcpanel:whmcpanel:wp_squared
Fraquezas (CWE)
CWE-306
Referencias
https://docs.cpanel.net/release-notes/release-notes(disclosure@vulncheck.com)
https://docs.wpsquared.com/changelogs/versions/changelog/#13617(disclosure@vulncheck.com)
https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026(disclosure@vulncheck.com)
https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow(disclosure@vulncheck.com)
https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.