Vetted by NeuralPress's Multi-Agent Verifier for strict factual validity and event relevance. Our compliance engine cross-checks and filters search results to ensure zero false correlations or misleading content.
Primary Sources
Hackers are actively exploiting a bug in cPanel, used by millions of ...
Security researchers are sounding the alarm on a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM). The bug allows hackers to hijack and take full control of the servers running the affected software, which is thought to be used by tens of millions of website owners around the world. Many commercial web hosting companies have patched their customers’ systems already. But the cPanel maker urged customers to ensure that their systems are patched as the bug affects all supported versions of the software. cPanel and WHM are two software suites used for managing web servers that host websites, manage emails, and handle important configurations and databases needed to maintain an internet domain. The two suites have deep-access to the servers that they manage, allowing a malicious hacker potentially unrestricted access to data managed by the affected software. The bug, officially tracked as CVE-2026-41940, allows malicious hackers to remotely bypass its login screen to gain full access to the software’s administration panel. Given the ubiquity of the cPanel and WHM software across the web hosting industry, hackers could compromise potentially large numbers of websites that haven’t patched the bug. Canada’s national cybersecurity agency said in an advisory that the bug could be exploited to compromise websites on shared hosting servers, such as large web hosting companies. The agency said that “exploitation is highly probable” and that immediate action from cPanel customers, or their web hosts, is necessary to prevent malicious access. Web hosting giant Namecheap, which uses cPanel to allow its customers to manage their web servers, said the company blocked access to customers’ cPanel panels after learning of the flaw to prevent exploitation, and to give it time to patch its customers’ systems. Hostgator also said it patched its systems and is considering the bug a “critical authentication-bypass exploit.” One web hosting company says it found evidence that hackers have been abusing the vulnerability for months before the attempts were discovered. KnownHost CEO Daniel Pearson said in a post on Reddit that his company has seen attempts to exploit the vulnerability as far back as February 23. The company said it also briefly began blocking access to customer systems before applying patches. According to Pearson, around 30 servers at KnownHost showed signs of unauthorized attempted access ou...
The internet's control plane, cPanel is under attack
cPanel, the server and website management software used by millions of domains and hundreds of thousands of companies, has a critical vulnerability, CVE-2026-41940, that is under active exploitation.The CVSS 9.8 cPanel vulnerability lets attackers bypass authentication. It affects “all currently supported versions after 11:40,” cPanel said in a short advisory, being updated in real-time as The Stack published today. WHM, the administrative interface used to manage, monitor, and control multiple cPanel accounts, is also vulnerable to the CVSS 9.8 bug. cPanel and WHM (management ports 2083, 2087) are usually exposed to the internet so that admins can manage their sites, and attacks require no user interaction; an attacker simply sends specifically crafted HTTP requests directly to the server. The vulnerability chains multiple small, seemingly minor logic flaws together to give a remote user root access.Privately owned cPanel's team urged the Internet's millions of cPanel users in its advisory to "force password reset for root and all WHM users; audit /var/log/wtmp and WHM access logs for unauthorized access; [and] check for persistence mechanisms (cron, SSH keys, backdoors)."Updating the thin advisory moments before The Stack published, cPanel provided a detection script to look for indicators of compromise (IOCs).The CVE has not yet hit CISA's KEV. Managed hosting provider KnownHost's CEO Daniel Pearson said that attacks may have been ongoing since February this year. (The Stack could not immediately confirm post-compromise attacker behaviour.)He wrote today on Reddit: “This has absolutely been used in the wild… “I've personally confirmed the access, and the exploit has been re-created. We're not releasing any of that information externally at this time as the last thing the industry needs is a bunch of copycats trying it out.”Pearson did not share IOCs but suggested that users check their WHM (a control panel used by hosting providers to manage cPanel accounts) access log and session log “for successful root sessions coming from IPs you aren't aware of or shouldn't have access to your system. Also check for access specifically to the WHM Root Terminal/SSH interface page.”Benjamin Harris of attack surface management firm watchTowr, commented: “Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product. Hosting.com, Namecheap, KnownHost, HostPapa, InMotion and the rest all...
Critical cPanel CRLF injection vulnerability puts tens of millions of ...
Pro Security 'The Internet is falling down': Critical cPanel CRLF injection vulnerability puts tens of millions of websites at risk of total compromise - hosting providers urged to apply CVE ...
cPanel Critical Authentication Bypass Actively Exploited
cPanel disclosed a critical authentication bypass vulnerability affecting all currently supported versions of cPanel and WebHost Manager (WHM) on April 28, 2026. The flaw allows unauthenticated attackers to bypass login mechanisms and gain administrative control over web hosting servers.
