:

CPANEL ZERO-DAY ACTIVELY EXPLOITED, POC RELEASED

AI DESK2 MIN READ
THU, APR 30, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

A critical authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild since late February. A proof-of-concept is now publicly available.

The Vulnerability CVE-2026-41940 is a critical authentication bypass flaw affecting cPanel, WHM, and WP Squared. The vulnerability allows attackers to circumvent authentication mechanisms, potentially granting unauthorized access to hosting control panels and administrative functions. Active Exploitation Security researchers have confirmed active exploitation attempts dating back to late February. The release of a public proof-of-concept has significantly expanded the attack surface, enabling a broader range of threat actors to leverage the flaw. Risk Assessment The combination of a critical severity rating and public exploit code creates an urgent threat landscape. Organizations running affected versions face elevated risk of unauthorized access, data breaches, and potential lateral movement within hosting infrastructure. Affected Systems The vulnerability impacts multiple cPanel and WHM versions. WP Squared installations are also vulnerable. Administrators should immediately identify and inventory affected systems across their infrastructure. Recommended Actions Organizations should prioritize patching to the latest available versions. Interim mitigations may include restricting access to administrative interfaces, monitoring authentication logs for suspicious activity, and implementing network-level controls on management ports. Timeline While initial exploitation attempts occurred in late February, the public release of proof-of-concept code has accelerated the threat timeline. The window for remediation has narrowed considerably. cPanel and WHM administrators should treat this as a critical priority and coordinate patching across their infrastructure immediately. The availability of public exploit code means this vulnerability will likely see widespread exploitation efforts in the coming days.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

The Los Angeles Police Department has declined to renew its contract with Flock Safety, citing data privacy concerns. The decision marks a shift in the department's approach to automated license plate reader technology.

1H AGOIndustry Desk

Department of Homeland Security analysts dismissed suspicious network activity detected in May as harmless before confirming a breach in June, according to internal documents.

1H AGOSecurity Desk

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that Russian state-sponsored hackers are actively targeting residential routers. The threat escalates as attackers seek to exploit routers for use as residential proxies.

1H AGOSecurity Desk

Grok CLI experienced a critical bug that caused it to upload entire home directories to Google Cloud Storage. The issue sparked significant discussion in the developer community about data handling practices.

3H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.