A critical authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild since late February. A proof-of-concept is now publicly available.
The Vulnerability
CVE-2026-41940 is a critical authentication bypass flaw affecting cPanel, WHM, and WP Squared. The vulnerability allows attackers to circumvent authentication mechanisms, potentially granting unauthorized access to hosting control panels and administrative functions.
Active Exploitation
Security researchers have confirmed active exploitation attempts dating back to late February. The release of a public proof-of-concept has significantly expanded the attack surface, enabling a broader range of threat actors to leverage the flaw.
Risk Assessment
The combination of a critical severity rating and public exploit code creates an urgent threat landscape. Organizations running affected versions face elevated risk of unauthorized access, data breaches, and potential lateral movement within hosting infrastructure.
Affected Systems
The vulnerability impacts multiple cPanel and WHM versions. WP Squared installations are also vulnerable. Administrators should immediately identify and inventory affected systems across their infrastructure.
Recommended Actions
Organizations should prioritize patching to the latest available versions. Interim mitigations may include restricting access to administrative interfaces, monitoring authentication logs for suspicious activity, and implementing network-level controls on management ports.
Timeline
While initial exploitation attempts occurred in late February, the public release of proof-of-concept code has accelerated the threat timeline. The window for remediation has narrowed considerably.
cPanel and WHM administrators should treat this as a critical priority and coordinate patching across their infrastructure immediately. The availability of public exploit code means this vulnerability will likely see widespread exploitation efforts in the coming days.
The Los Angeles Police Department has declined to renew its contract with Flock Safety, citing data privacy concerns. The decision marks a shift in the department's approach to automated license plate reader technology.
Department of Homeland Security analysts dismissed suspicious network activity detected in May as harmless before confirming a breach in June, according to internal documents.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that Russian state-sponsored hackers are actively targeting residential routers. The threat escalates as attackers seek to exploit routers for use as residential proxies.
Grok CLI experienced a critical bug that caused it to upload entire home directories to Google Cloud Storage. The issue sparked significant discussion in the developer community about data handling practices.