Executive Summary
CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog on 2026-04-30, with a due date of 2026-05-03, and marks known ransomware campaign use as Known CISA KEV opens in a new tab. The affected products are cPanel & WHM, including DNSOnly, and WP2 (WordPress Squared). CISA describes the issue as an authentication bypass in the login flow that allows unauthenticated remote attackers to gain unauthorized control-panel access CISA KEV opens in a new tab.
WebPros says the issue affects all cPanel software versions after 11.40, pushed patched builds for active branches, and provided a detection script that inspects /var/cpanel/sessions and /usr/local/cpanel/logs/access_log for compromised session indicators cPanel opens in a new tab. Treat internet-exposed cPanel or WP2 login surfaces as active intrusion risk until patched-build proof and session-file review are complete.