Affecting all versions after 11.40, this critical vulnerability (CVSS score 9.8) has been exploited since February/March 2026.
Patch immediately to the latest versions.
Key Details and Mitigation:
Vulnerability Type: Authentication Bypass via CRLF injection, allowing remote attackers to manipulate session files and take control of servers.
Impact: Full control over web hosting accounts, databases, and server configuration.
Status: Actively exploited in the wild; urgent action is required.
Mitigation: Update to the patched versions immediately (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5 or newer).
Action for Admins: Run /scripts/upcp --force and review access logs for suspicious activity.
Emergency Measure: Block public access to cPanel/WHM ports (2082, 2083, 2086, 2087) if patching cannot be done immediately.
The vulnerability affects both cPanel & WHM and DNSOnly instances, with CISA adding it to its Known Exploited Vulnerabilities catalog.
References To Check:
https://www.cve.org/CVERecord?id=CVE-2026-41940
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
https://developers.cloudflare.com/changelog/post/2026-04-30-emergency-waf-release
For More: Visit:
https://www.websecurityinsights.my.id/