A critical security vulnerability in cPanel and WebHost Manager (WHM) is being actively exploited by hackers, putting millions of websites at risk. The flaw, tracked as CVE-2026-41940, allows attackers to remotely bypass the login screen and gain full administrative access to affected servers — potentially giving them unrestricted access to websites, emails, databases, and other data managed by the software.
cPanel and WHM are widely used web server management tools estimated to be in use by tens of millions of website owners worldwide. The bug affects all supported versions of the software, and cPanel’s maker has urged all customers to apply patches immediately.
Evidence suggests the vulnerability has been exploited since at least February 2026. KnownHost CEO Daniel Pearson wrote on Reddit that his company detected exploitation attempts dating back to February 23, with around 30 servers on its network showing signs of unauthorized access attempts. Pearson noted these appeared to be attempts rather than confirmed compromises.
Several major web hosting providers have already responded. Namecheap temporarily blocked customer access to cPanel panels to prevent exploitation while it applied patches. Hostgator also patched its systems, describing the flaw as a “critical authentication-bypass exploit.” cPanel additionally released a security fix for WP Squared, a related tool used to manage WordPress websites.
Canada’s national cybersecurity agency issued an advisory warning that exploitation is “highly probable” and called for immediate action from cPanel customers or their web hosts. The agency noted the bug could be used to compromise websites on shared hosting servers — a concern given how many websites share infrastructure at large hosting providers.
The scale of cPanel’s deployment across the web hosting industry means unpatched systems could expose a large number of websites to takeover. Website owners who manage their own hosting are advised to verify their systems have received the latest security update.
Source: TechCrunch