Imagine someone knows a single trick - and can use it to take over the management console of over 70 million websites worldwide. No password. No two-factor authentication. Just a manipulated HTTP request, and the door is open.
Exactly that has been possible since February 2026 - and was actively exploited before a patch even existed. The vulnerability is called CVE-2026-41940. It affects cPanel and WebHost Manager (WHM), by far the most widely used hosting management software in the world. And it carries a CVSS score of 9.8 out of 10 - just below the theoretical maximum.
1.5 million open doors. 70 million domains affected.
Shodan data shows approximately 1.5 million cPanel instances directly reachable over the internet. The Shadowserver Foundation reports 650,000 IP addresses with exposed installations. cPanel controls 94 percent of the hosting control panel market. And the attackers knew about the vulnerability before a patch even existed.
What cPanel is - and why it matters
cPanel and WHM are the invisible infrastructure of the internet. Anyone who has ever operated a website through a shared hosting provider has likely used cPanel - for email configurations, database access, file transfers, domain management. WHM is the layer above: root access to the entire server, SSL certificates, security protocols, management of all customer accounts at once.
watchTowr Labs, the security firm that technically analyzed the vulnerability, puts it succinctly: You can think of cPanel as the keys to the kingdom - and WHM as the keys to every single apartment within it. And the kingdom is the internet.
The vulnerability: A technical error with far-reaching consequences
CRLF Injection: The manipulated login
CVE-2026-41940 is technically a so-called CRLF injection. cPanel's daemon writes a session file to disk during the login process before authentication is completed. An attacker sends a manipulated Authorization header with embedded line breaks and a misconfigured cookie. This writes custom key-value pairs into the session file - including user=root, hasroot=1, tfa_verified=1. The result: full root access to WHM without ever having entered a valid password.
Zero-day for months: The timeline
February 23, 2026: First documented exploit attempts. Mid-April: The vulnerability was reported to cPanel - the manufacturer's first response was reportedly that no problem existed. April 28: Patch released. April 29: CISA adds CVE-2026-41940 to the KEV catalog. For over two months, the vulnerability was open to anyone who knew the trick.
Real consequences: Ransomware and emergency measures
A small business was hit with ransomware after an attack through a standard cPanel installation. The attackers demanded $7,000. Namecheap temporarily blocked access to cPanel and WHM entirely - your hosting provider locking you out of your own management console because it is too dangerous.
What the BSI says
The German Federal Office for Information Security issued an official cybersecurity warning on April 30, 2026. The agency makes clear: the vulnerability could have been exploited as a zero-day for weeks beforehand. Checking for prior compromise is therefore absolutely necessary - not just a recommended, optional step. Patching alone is not enough.
The key takeaway
cPanel is not an exotic edge case. It is an example of how far-reaching the consequences can be when central infrastructure - on which the hosting backbone of the internet relies - has a single unpatched vulnerability. The error itself is relatively simple: a missing input sanitization at a single point in the code. The impact is maximum.
Sources
-
BSI - Cybersecurity Warning 2026-246817-1032
Official warning from the German Federal Office for Information Security regarding CVE-2026-41940:
bsi.bund.de - Cybersecurity Warning -
CISA - Known Exploited Vulnerabilities Catalog
CVE-2026-41940 added on April 29, 2026:
cisa.gov - KEV Catalog -
NVD (NIST) - CVE-2026-41940
US National Vulnerability Database, technical details:
nvd.nist.gov - CVE-2026-41940 -
TechCrunch: Hackers are actively exploiting a bug in cPanel
Report on active exploitation, millions of websites affected:
techcrunch.com - cPanel exploit -
The Register: Critical cPanel exploited - millions of sites could be hit
Detailed report on the scale and hosting provider responses:
theregister.com - cPanel vulnerability -
The Register: Critical cPanel, WHM flaw probs exploited as 0-day
Initial reporting on zero-day exploitation:
theregister.com - cPanel 0-day -
watchTowr Labs: The Internet Is Falling Down
Technical analysis and proof-of-concept for CVE-2026-41940:
labs.watchtowr.com - cPanel Technical Analysis -
Rapid7: CVE-2026-41940 - cPanel & WHM Authentication Bypass
Threat analysis with Shodan data on exposed instances:
rapid7.com - cPanel Threat Analysis -
Help Net Security: cPanel zero-day exploited for months
Report on months-long zero-day exploitation before patch release:
helpnetsecurity.com - cPanel Zero-Day -
Malwarebytes: Actively exploited cPanel bug exposes millions
Analysis of the impact on website operators and hosting customers:
malwarebytes.com - cPanel Bug Analysis -
The Hacker News: Critical cPanel Authentication Vulnerability
Summary of the vulnerability and its implications:
thehackernews.com - cPanel Vulnerability -
Namecheap Status: Critical Security Vulnerability with cPanel/WHM
Official statement from the hosting provider on emergency measures:
namecheap.com - Security Update