CVE-2026-41940Known ransomware use

WebPros cPanel & WHM and WP2 (WordPress Squared) · CISA Known Exploited Vulnerability · NIST NVD ↗

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CRITICAL
CVSS severity
9.8
CVSS base score
2026-04-29
Published
2026-05-03
CISA remediate by

CWE codes

CWE-306

Affected products

cpanel:cpanelcpanel:whmcpanel:wp_squared

Sources