A critical security vulnerability (CVE-2026-41940) has been identified in cPanel, Web Host Manager (WHM) and WP Squared which may allow unauthenticated attackers to completely compromise affected systems through an authentication bypass in the login process.
Severity level:
CVSS Score: 9.8/Critical.
Description:
CVE‑2026‑41940 is a critical authentication bypass vulnerability in cPanel, WHM, and WP Squared caused by improper session handling during the login process. Unsanitized user‑controlled input can be injected into pre‑authentication session files, allowing an unauthenticated attacker to escalate privileges. Successful exploitation results in full administrative or root‑level access to the affected server.
Affected Versions:
- cPanel & WHM:- All versions after 11.40.
- WP Squared:- all versions prior to 11.136.1.7.
Impact:
Successful exploitation may allow attackers to bypass authentication without valid credentials and gain full admin access to cPanel/WHM.
Resolution:
Administrators must upgrade immediately to one of the following patched versions or later:
cPanel & WHM patched versions:
- 11.86.0.41
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.130.0.19
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
WP Squared patched version:
- 11.136.1.7
Reference:
UIT Information Security