What's Going On
We're reaching out regarding a security vulnerability (CVE-2026-41940) disclosed on April 28, 2026, with a "critical" rating (CVSS 9.8). This vulnerability is present in cPanel, WHM and WP Squared. If left unpatched, an attacker may be able to bypass authentication, including instances with MFA configured. This gives them full administrative control over an affected server and all related hosted websites. The vulnerability is being actively exploited in the wild.
Who Is Affected
We believe you may be running cPanel & WHM. Therefore, we wanted to notify you about this vulnerability and available remediation options. All currently supported releases of cPanel & WHM after version 11.40 are affected. Patches are available from cPanel to fix the underlying vulnerability, and we strongly recommend you update to the listed versions or newer as soon as you are able.
The patched cPanel & WHM versions are:
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
The patched WP Squared version is:
- 136.1.7
All patched versions contain fixes for CVE-2026-41940.
How to Remediate
The best course of action is to update to a patched version as soon as possible. Once updated, it is critical to restart the cpsrvd service to ensure the fix is loaded. You can verify your build with /usr/local/cpanel/cpanel -V after upgrading. The version returned applies to both cPanel and WHM.
Please take immediate action to secure your environment. Our support team is available if you need assistance with this upgrade. Please be aware that if we see evidence your infrastructure is engaging in abusive behavior, we may take action to limit any harm caused to our other customers and the Internet at large, up to and including restricting network traffic for the resources, as part of the activities we customarily undertake to protect the environment.
Thank you for treating this with urgency, keeping your data and infrastructure safe, and helping keep the Internet safe.
Dijous, Abril 30, 2026
