cPanel CVE-2026-41940 — Patch Your Server Today, It’s Already Being Exploited

cPanel has shipped an emergency patch for CVE-2026-41940, a critical authentication bypass affecting all supported versions of cPanel, WHM and WP Squared. The bug carries a CVSS score of 9.8, and attackers have been quietly exploiting it since at least late February — months before public disclosure, as reported by Help Net Security. CISA added the flaw to its Known Exploited Vulnerabilities catalogue on 30 April with a federal patch deadline of 3 May.

The technical detail matters here because it explains why this is so bad. A CRLF injection in the login flow lets an unauthenticated attacker forge a session file and write themselves in as root. From there they own the host, every database, and every website it serves. If you’re an Australian SMB with a website hosted on a cPanel/WHM server — and that covers the vast majority of small business hosting in this country — your provider’s hygiene is now your problem too.

What to do today: contact your hosting provider and ask for written confirmation that CVE-2026-41940 has been patched on your server. If you self-manage, upgrade to the latest cPanel build immediately and rotate any API tokens, contact-manager passwords and reseller credentials. Treat anything that touched the server before the patch as potentially compromised — review WHM access logs for unfamiliar IPs and look for unexpected reseller accounts. Notifiable Data Breaches obligations under the Privacy Act still apply if customer data was exposed.

If you’d rather not chase this one yourself, we look after patch management and incident triage for clients across Sydney, Brisbane, Melbourne and Central West NSW — see how our cybersecurity team handles emergency CVE response.