CVE DATABASE / CVE-2026-41940
CVE-2026-41940
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Confirmed exploited in the wild. Added 2026-04-30.
Federal remediation due 2026-05-03.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Summary
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
Our coverage
- cPanel and WHM Patch Three Vulnerabilities Including RCE and Privilege Escalation
- cPanel CVE-2026-41940 Was Actively Exploited for 30 Days Before Patch
Data: NIST NVD + CISA KEV. Always verify against the vendor advisory before acting.