{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/cpanel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":true,"_cs_products":["cPanel \u0026 WHM"],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","cPanel","web hosting","vulnerability"],"_cs_type":"threat","_cs_vendors":["cPanel"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-41940, affects all versions of cPanel \u0026amp; WHM. This vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems due to improper handling of session data. Public technical analyses and proof-of-concept code are available, significantly lowering the barrier to exploitation. There are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day. cPanel \u0026amp; WHM is commonly exposed to the internet and manages hosting environments, making it an attractive target for attackers seeking control over hosting infrastructures and numerous websites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a cPanel \u0026amp; WHM server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the cPanel \u0026amp; WHM login endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request manipulates session creation and processing by injecting controlled data into the session files.\u003c/li\u003e\n\u003cli\u003eThis injected data alters authentication-related attributes within the session, bypassing the normal authentication flow.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully establishes a session that is treated as fully authenticated without providing valid credentials.\u003c/li\u003e\n\u003cli\u003eWith administrative privileges, the attacker gains full control over the cPanel server.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses hosted websites and databases, potentially compromising sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through backdoors or additional user accounts, ensuring continued access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 allows attackers to gain complete control over cPanel \u0026amp; WHM servers. This can lead to the compromise of hosted websites, databases, and sensitive customer data. Given the central role of cPanel in hosting environments, this vulnerability can result in large-scale compromise affecting multiple customers and services. The widespread use of cPanel \u0026amp; WHM makes this a high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by cPanel to address CVE-2026-41940 immediately after thorough testing to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eImplement increased monitoring and detection capabilities to identify suspicious activity related to CVE-2026-41940 as recommended by CCB.\u003c/li\u003e\n\u003cli\u003eReview web server logs for unusual patterns or requests targeting cPanel login endpoints to detect potential exploitation attempts. Create a Sigma rule based on webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor for unauthorized changes to user accounts or the creation of new administrative accounts on cPanel servers. Create a Sigma rule based on process creation logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:16:14Z","date_published":"2026-04-30T12:16:14Z","id":"/briefs/2026-05-cpanel-auth-bypass/","summary":"CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel \u0026 WHM, allowing unauthenticated remote attackers to gain administrative access by manipulating session data.","title":"Critical Authentication Bypass Vulnerability in cPanel \u0026 WHM (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2026-05-cpanel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":false,"_cs_products":["WHM","cPanel"],"_cs_severities":["critical"],"_cs_tags":["cpanel","whm","authentication-bypass","CVE-2026-41940","webserver"],"_cs_type":"advisory","_cs_vendors":["cPanel"],"content_html":"\u003cp\u003eOn April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the cPanel/WHM interface.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates the server to identify valuable files, directories, and database configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker executes uploaded payloads to establish persistent access, such as a web shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule \u003ccode\u003eDetectCpanelAuthBypassAccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule \u003ccode\u003eDetectCpanelAccountManipulation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T16:16:25Z","date_published":"2026-04-29T16:16:25Z","id":"/briefs/2026-04-cpanel-auth-bypass/","summary":"An authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 allows unauthenticated remote attackers to gain unauthorized access to the control panel.","title":"cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CPanel","version":"https://jsonfeed.org/version/1.1"}