CVE-2026-41940

Analyzed
Published: 29 Apr 2026, 15:10
Last modified:30 Apr 2026, 22:20

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (cve.org)
EPSS Score
16.52% MEDIUM
17% probability
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

29 Apr 2026, 15:10
Published
Vulnerability first disclosed
30 Apr 2026, 00:00
Added to CISA KEV
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
30 Apr 2026, 22:20
Last Modified
Vulnerability information updated
03 May 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 16.52% Percentile: 95%

Techniques & Countermeasures

  • CWE-306Missing Authentication for Critical Function

    The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Affected Systems

  • cpanel, l.l.c.cpanel & whm

    ≥ 11.110.0, < 11.110.0.97 | ≥ 11.118.0, < 11.118.0.63 | ≥ 11.126.0, < 11.126.0.54 | ≥ 11.132.0, < 11.132.0.29 | ≥ 11.134.0, < 11.134.0.20 | ≥ 11.136.0, < 11.136.0.5

  • cpanel, l.l.c.wp squared

    ≥ 11.136.1, < 11.136.1.7

  • cpanelcpanel

    ≥ 11.110.0, < 11.110.0.97 | ≥ 11.118.0, < 11.118.0.63 | ≥ 11.126.0, < 11.126.0.54 | ≥ 11.132.0, < 11.132.0.29 | ≥ 11.134.0, < 11.134.0.20 | ≥ 11.136.0, < 11.136.0.5 | ≥ 11.86.0, < 11.86.0.41 | ≥ 11.130.0, < 11.130.0.18 | ≥ 11.40, < 86.0.41 | ≥ 88.0.0, < 110.0.97 | ≥ 112.0.0, < 118.0.63 | ≥ 120.0.0, < 126.0.54 | ≥ 128.0.0, < 130.0.19 | ≥ 132.0.0, < 132.0.29 | ≥ 134.0.0, < 134.0.20 | ≥ 136.0.0, < 136.0.5

  • cpanelwhm

    ≥ 11.110.0, < 11.110.0.97 | ≥ 11.118.0, < 11.118.0.63 | ≥ 11.126.0, < 11.126.0.54 | ≥ 11.132.0, < 11.132.0.29 | ≥ 11.134.0, < 11.134.0.20 | ≥ 11.136.0, < 11.136.0.5 | ≥ 11.86.0, < 11.86.0.41 | ≥ 11.130.0, < 11.130.0.18 | ≥ 11.40, < 86.0.41 | ≥ 88.0.0, < 110.0.97 | ≥ 112.0.0, < 118.0.63 | ≥ 120.0.0, < 126.0.54 | ≥ 128.0.0, < 130.0.19 | ≥ 132.0.0, < 132.0.29 | ≥ 134.0.0, < 134.0.20 | ≥ 136.0.0, < 136.0.5

  • cpanelwp_squared

    ≥ 11.136.1, < 11.136.1.7 | < 136.1.7

  • webproscpanel

    ≥ 11.40.0.0, < 11.86.0.41 | ≥ 11.88.0.0, < 11.110.0.97 | ≥ 11.112.0.0, < 11.118.0.63 | ≥ 11.120.0.0, < 11.126.0.54 | ≥ 11.128.0.0, < 11.130.0.19 | ≥ 11.132.0.0, < 11.132.0.29 | ≥ 11.134.0.0, < 11.134.0.20 | ≥ 11.136.0.0, < 11.136.0.5

  • webproswhm

    ≥ 11.40.0.0, < 11.86.0.41 | ≥ 11.88.0.0, < 11.110.0.97 | ≥ 11.112.0.0, < 11.118.0.63 | ≥ 11.120.0.0, < 11.126.0.54 | ≥ 11.128.0.0, < 11.130.0.19 | ≥ 11.132.0.0, < 11.132.0.29 | ≥ 11.134.0.0, < 11.134.0.20 | ≥ 11.136.0.0, < 11.136.0.5

References (7)