COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-41940

CVE-2026-41940

Severity
critical · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-04-30
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
⌖ exploited in the wild shame 85/100 ransomwareexploited-in-wildsupply-chaindata-breachauth-bypassnegligence

WebPros cPanel & WHM and WP2 suffered a critical authentication bypass allowing unauthenticated remote attackers to access the control panel.

This vulnerability enables unauthenticated remote attackers to bypass login controls and access the WebHost Manager and WordPress Squared control panels, exposing sensitive administrative functions. For DIB organizations, this represents a high-risk supply-chain failure where a widely used hosting management tool can be compromised without credentials, potentially leading to data exfiltration or ransomware deployment. Immediate patching and vendor accountability are required to mitigate this active exploitation risk.

Shame score — Critical authentication bypass in a widely deployed hosting management tool that is actively exploited and linked to ransomware.

Players implicated

WebPros · vendorcPanel & WHM and WP2 (WordPress Squared) · product

Description

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.