Critical cPanel bug exposes millions of websites to full server takeover

Published: 2 May 2026
Last updated: 4 May 2026
personal data leaking concept

A critical vulnerability in cPanel and WHM, tracked as CVE-2026-41940, allows attackers to bypass authentication and gain full server access. It may have been actively exploited since late February, potentially affecting millions of domains, but emergency patches are now available.

Key takeaways:
  • Critical flaw lets hackers bypass login and seize server.
  • Attacks may have been happening weeks before discovery.
  • Patch released, but outdated systems remain exposed.
  • Tens of millions of websites could be impacted.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The vulnerability affects all supported versions of the software released prior to the patch.

ADVERTISEMENT

Although the exact date of the first exploitation is not known, KnownHost CEO Daniel Pearson said that there were recorded "execution attempts as early as [February 23rd, 2026]."

cPanel released a fix on April 28th, just a few hours after the public advisory was published. Hosting providers, including Namecheap and KnownHost, quickly moved to block cPanel-related ports pending the patch.

cPanel warns that servers running unsupported or end-of-life versions should update as soon as possible via a full platform upgrade, although they will not receive an emergency patch.

The affected cPanel and WebHost Manager (WHM) are used across 70 million domains, according to The Register.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

These are popular Linux-based tools used to run web servers and hosting accounts. cPanel allows to manage files, domain, and databases, while WHM is used by server administrators.

They are among the most widely used hosting control panels in the industry, with over a million server installations as of 2026, which makes them an attractive target for cybercriminals.

The vulnerability also affects WP Squared, a hosting platform for WordPress owned by cPanel.

ADVERTISEMENT

A successful exploit could have a critical impact on websites and hosting environments, allowing attackers to compromise cPanel accounts, install backdoors, deploy malware or ransomware, extract customer data, or abuse servers for malicious operations.

The exploit hasn’t yet been attributed to a specific attacker.

Website owners are encouraged to review their logs for unusual login attempts, newly created users, or unusual cron jobs prior to the patch. On top of that, it’s recommended to use 2FA for access to all WHM and cPanel accounts and restrict WHM port access to trusted IP addresses via firewall rules.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked