A critical vulnerability tracked as CVE-2026-41940 has been identified in cPanel and WHM (WebHost Manager) and related services, including WP Squared (WP2), and is currently being actively exploited by attackers. The issue allows unauthorized access to control panels by bypassing authentication controls.

Affected Systems:

• cPanel and WHM: All supported versions prior to 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5

• WP Squared (WP2): versions prior to 136.1.7

Security Risks

The successful exploitation of this vulnerability could allow attackers to bypass authentication controls and gain unauthorized administrative access to cPanel and WHM systems without valid credentials.

For more information on this vulnerability and related updates, please refer to official cPanel security advisory for CVE-2026-41940.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators:

• Upgrade cPanel and WHM to the latest supported versions to ensure continued access to security patches and technical support.

The recommended versions are:

• cPanel and WHM: upgrade to versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5

• WP Squared (WP2): Upgrade to version 136.1.7

• If patching cannot be applied immediately, restrict access to ports 2083, 2087, 2095, and 2096, or disable cPanel core services (cpsrvd and cpdavd).

• Ensure valid backups are available before applying updates.

For further information and support, please contact the National Cyber Security Authority (NCSA) by emailto rwcsirt@ncsa.gov.rw or call us on 9009.

References

• https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

• https://docs.cpanel.net/release-notes/release-notes/

• Critical cPanel flaw mass-exploited in "Sorry" ransomware attacks