A critical security vulnerability tracked as CVE-2026-41940 has been discovered in most versions of cPanel and WebHost Manager (WHM), potentially allowing attackers to access hosting control panels without authentication.
The flaw carries a severity score of 9.8, making it one of the most serious issues affecting widely used hosting software.
Owned by WebPros International, cPanel and WHM are Linux-based control panels used by hosting providers and website owners to manage servers, websites, databases, and email systems. WHM handles server-level administration, while cPanel provides access to individual website environments.
Although technical details of the vulnerability have not been publicly disclosed, its impact is significant. Hosting provider Namecheap took immediate precautionary action by temporarily blocking access to ports 2083 and 2087, which are used for cPanel and WHM logins, to protect users before patches were released.
In a statement, Namecheap confirmed the issue involves an authentication bypass that could allow unauthorized users to gain control of hosting accounts. This level of access could expose websites, emails, databases, and sensitive configuration files.
Shortly after, cPanel released a security advisory confirming that patched versions are now available. The vulnerability has been fixed in the latest builds across supported versions, including 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5.
To apply the fix, administrators must manually run the command /scripts/upcp --force, which forces the system to fetch and install the latest secure update even if it appears up to date.
Systems running unsupported versions will not receive security patches, and administrators are strongly advised to upgrade immediately to a supported release.
If exploited, attackers could take full control of hosting environments. This includes modifying websites, planting backdoors or web shells, redirecting visitors to malicious pages, stealing sensitive data, sending phishing emails, and harvesting credentials from server files.
With WHM-level access, the risk becomes even more severe, as attackers could control the entire server, create or delete accounts, maintain persistent access, and use the infrastructure for malicious operations like spam campaigns, malware distribution, or botnet activity.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Website owners and hosting providers using cPanel or WHM are urged to update their systems immediately to mitigate the risk.
