Critical cPanel & WHM Zero‑Day (CVE-2026-41940): Authentication Bypass Exploited for Months—and What to Do Now
A critical authentication bypass in cPanel & WHM (CVE-2026-41940, CVSS 9.8) has been exploited as a zero‑day since late February 2026. The flaw grants full control of the host, its configurations, databases, and all managed sites—turning shared hosting environments into high-value targets. cPanel disclosed the issue publicly on April 28 and urged immediate patching across…