CVE-2026-41940 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 29, 2026
cPanel and WHM - Authentication Bypass
Published: April 29, 2026Updated: April 29, 2026PoC AvailableRemote Exploitable
Overview
cPanel and WHM < 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass caused by a flaw in the login flow, letting unauthenticated remote attackers gain unauthorized access to the control panel, exploit requires no authentication.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated remote attackers can gain unauthorized access to the control panel, compromising system security.
Mitigation
Update to version 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5 or later.
References
- https://docs.cpanel.net/release-notes/release-notes
- https://docs.wpsquared.com/changelogs/versions/changelog/#13617
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
- https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
Related Resources
Details
- CVE ID
- CVE-2026-41940
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- new
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H