Security researchers are warning about a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM).
This is a critical, actively exploited authentication-bypass bug in cPanel/WHM that lets attackers gain administrative access to the interface without credentials, potentially take over servers and all hosted sites.
The vulnerability, tracked as CVE-2026-41940, has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency (CISA), meaning there is evidence it is being used in real-world attacks.
Because cPanel/WHM is used by over a million sites worldwide, including banks and health organizations, the potential impact is huge. In simple terms, the bug can act like a front‑door key to a big chunk of the web’s hosting infrastructure.
cPanel released patches on April 28, 2026, and urged all customers and hosts to update. It said all supported versions after 11.40 are affected, including DNSOnly and WP Squared.
Hosting providers including Namecheap, HostGator, and KnownHost temporarily blocked access to cPanel interfaces while patching, treating this as a critical authentication bypass and reporting exploit attempts going back to late February 2026.
How to stay safe
While it’s up to the hosting companies and website owners to patch as quickly as possible, there are ways to reduce your risk if a site you use is compromised.
As always, limit the data you share with websites to what’s absolutely necessary. Data they don’t have can’t be stolen.
When ordering from an online retailer, don’t tick the box to save your card details for future purchases as they will be stored on the server.
If there’s an option to check out as a guest, use it. It reduces the amount of personal data tied to an account.
Don’t reuse passwords. When one site is compromised, having the same credentials in several places turns it into a multi‑account takeover problem. A password manager can help you create complex unique passphrases, and remember them for you.
Where possible, pay by credit card. In many regions, this gives you stronger fraud protection.
Your details are probably already for sale.
When a site you trust gets hacked
If you think you’ve been affected by a data breach, take the following steps:
- Check the company’s advice. Every breach is different, so check with the company to find out what’s happened and follow any specific advice it offers.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for impersonators. The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but it increases risk if a retailer suffers a breach.
- Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.
What do cybercriminals know about you?
Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.
