Your website’s Web Host Manager (WHM), WP Squared, and Control Panel (cPanel) may have a critical security flaw that lets anyone become root admin without a password.
Malicious actors can take advantage of a bug officially tracked as “CVE-2026-41940” to remotely bypass a website’s login screen and gain full access to the administration panel.
Developed by WebPros International, WHM and cPanel function as a dual-layered management suite for Linux servers.
WHM is an administrative interface, granting control over server-wide configurations. cPanel serves as the localized dashboard for individual site owners, offering a user-friendly environment to manage specific website files, databases, and email services.
The two control panels are behind an estimated 70+ million websites worldwide; hence, it is most likely that if you own or manage a website, it could be vulnerable.
KnownHost, a hosting provider that uses cPanel, says the bug is already being used to gain access to millions of websites. The company can’t verify when the bug was first active but discovered it as far back as February this year.
cPanel Bug Fix
The good news is that cPanel released the fix for the bug. To secure your server against this vulnerability, you should ensure your software is updated to the latest patched releases.
For those running cPanel or WHM version 110, the fix is available in version 11.110.0.97. Users on the 118 and 126 branches should update to 11.118.0.63 and 11.126.0.54, respectively.
Additionally, more recent versions have been patched: version 132 is secured in 11.132.0.29, version 134 in 11.134.0.20, and version 136 in 11.136.0.5. cPanel also pushed a patch for WP Squared version 136.1.7.
READ: Claude Mythos Finds 271 Security Vulnerabilities in Firefox Browser
If your system is running any version older than these patched releases, you should treat the server as already compromised and take immediate remedial action. Your first priority must be to apply the security patch instantly.
After updating and restarting your server, the next step is a security reset. It’s recommended you change root passwords, refresh API tokens and SSL private keys, and regenerate all SSH keys.
Next, ensure you update all mail and database passwords to reduce the risk of unauthorized access.
If you cannot patch immediately, restrict access to the server by blocking external traffic to ports 2083, 2087, 2095, and 2096. One can also temporarily disable the cpsrvd and cpdavd core services to close the vulnerability’s entry points.
The recently released Detection Artefact Generator script enables administrators to perform version-based scans on WHM and cPanel to verify exposure to CVE-2026-41940.
