A critical CRLF injection vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel, WHM, and WP Squared allows authentication bypass by exploiting improper session file handling via the Authorization header, granting full host control. Affected versions include cPanel 11.40 through 86.0.40, 88.0.0 through 110.0.96, 112.0.0 through 118.0.62, 120.0.0 through 126.0.53, and 128.0.0 through 130.0.18. The fix requires upgrading to specific patched versions (e.g., 86.0.41, 110.0.97, 118.0.63, 126.0.54, 130.0.19, 132.0.29, 134.0.20, or 136.0.5) and restarting the cpsrvd service; if patching is delayed, block external access to cPanel/WHM ports and stop core services.
Vulnerability Management , Patch/Configuration Management Critical cPanel vulnerability actively exploited in the wild April 30, 2026 Share By SC Staff As detailed in Bleeping Computer, a critical authentication bypass vulnerability, identified as CVE-2026-41940, affecting cPanel, WHM, and WP Squared, has been actively exploited by attackers since late February. The vulnerability stems from a Carriage Return Line Feed (CRLF) injection flaw within the login and session loading processes of cPanel & WHM. This allows attackers to bypass authentication by exploiting improper session handling, where user-controlled input from the Authorization header is written into server-side session files without proper sanitization. Successful exploitation grants attackers control over the host system, its configurations, databases, and managed websites. Hosting providers like KnownHost reported exploitation attempts as early as February 23, 2026. cPanel released an emergency fix on April 28, 2026, with specific patched versions for affected releases. In response, Namecheap temporarily blocked access to cPanel and WHM ports until patches were applied. Approximately 1.5 million cPanel instances are exposed online, though the exact number vulnerable to this specific flaw is unknown. The vendor strongly advises customers to restart the "cpsrvd" service after applying updates or, if patching is not immediate, to block external access to specific ports and stop core services. Source: Bleeping Computer SC Staff Related Vulnerability Management DotNetNuke CMS vulnerability allows server compromise via malicious SVG uploads SC Staff April 30, 2026 The flaw, CVE-2026-40321, affects the popular open-source platform built on Microsoft technology. Vulnerability Management CISA adds ConnectWise, Microsoft flaws to KEV catalog Laura French April 30, 2026 The Windows flaw stems from an incomplete patch of a vulnerability exploited by APT28. Vulnerability Management GitHub vulnerability CVE-2026-3854 allows code execution with a single git push SC Staff April 29, 2026 The vulnerability, CVE-2026-3854, arises from improper handling of special elements within GitHub Enterprise Server. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds