Bug of the year (so far)? Nasty cPanel vulnerability probably exploited as a 0-day

Apr 30, 2026 · 10:14 AM UTC ·3 min read · 0 reactions · 0 comments · 2 views

#cpanel #vulnerability #zero-day #cve-2026-41940 #cybersecurity

Bug of the year (so far)? Nasty cPanel vulnerability probably exploited as a 0-day

⚡ TL;DR · AI summary

A critical vulnerability in cPanel and WHM, tracked as CVE-2026-41940 with a CVSS score of 9.8, allows attackers to bypass authentication and gain root access to servers. The flaw affects all supported versions prior to the emergency patches and may have been exploited as a zero-day for at least 30 days. Given cPanel's widespread use in managing an estimated 70 million domains, the vulnerability poses a significant risk to internet infrastructure.

Original article

The Register

Read full at The Register →

Opening excerpt (first ~120 words) tap to expand

Patches 2 Bug of the year (so far): Nasty cPanel vulnerability probably exploited as a 0-day 2 Emergency patches out now for those managing the millions of domains assumed to be affected Connor Jones Thu 30 Apr 2026 // 10:14 UTC Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it. Dev targeted by sophisticated job scam: 'I let my guard down, and ran the freaking code' READ MORE Given that cPanel and WebHost Manager (WHM) control panel help manage properties for 70 million domains, by some estimates, and the critical severity of CVE-2026-41940 (9.8), the vulnerability is being considered a disaster by those in the security scene.

…

Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.

Anonymous · no account needed

Discussion

0 comments

Bug of the year (so far)? Nasty cPanel vulnerability probably exploited as a 0-day

Discussion

More from The Register