A critical authentication bypass flaw, tracked as CVE-2026-41940, affects cPanel & WHM and WP Squared deployments and has been publicly reported as under active exploitation. The vulnerability can let unauthenticated remote attackers bypass normal login controls in certain conditions and potentially obtain administrative access to internet-facing hosting systems that manage websites, databases, email, DNS, SSL certificates, and customer accounts.
Guidance tied to the disclosure urges organizations to apply vendor-patched builds immediately and investigate for signs of compromise, as a successful breach could expose downstream environments and sensitive business data. Recommended response actions include isolating affected servers, rotating credentials, removing attacker persistence, and rebuilding compromised systems, alongside longer-term hardening such as MFA, network segmentation, reduced internet exposure, tighter privileged access, and continuous vulnerability monitoring.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Public reporting indicated that CVE-2026-41940, a critical authentication bypass affecting cPanel & WHM and WP Squared deployments, was being actively exploited in the wild. The flaw could allow unauthenticated remote attackers to bypass authentication and potentially gain administrative access to internet-facing hosting infrastructure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
secpod.com
Open sourcesecpod.com
Open sourcesecpod.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.