Critical cPanel bug under active attack prompts emergency patches worldwide

Site owners running cPanel and WHM were pushed to patch immediately after cPanel said a critical authentication flaw had already led to unauthorized logins on control panels that manage websites, email and server settings. The company said the issue affected all currently supported versions and warned that unsupported servers could still be exposed.

cPanel assigned the bug CVE-2026-41940 and rated it 9.8 out of 10.0, a critical score that reflects the risk from unauthenticated remote attackers gaining unauthorized access. The company pushed fixes for multiple release tiers, including 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20 and 11.136.0.5. Its emergency guidance told administrators to run /scripts/upcp force right away, and to reduce exposure by blocking access to cPanel-related ports 2083, 2087, 2095 and 2096 at the firewall while also disabling service subdomains and proxy subdomains.

The incident quickly took on the shape of a mass-exposure infrastructure problem rather than a narrow software bug. Hosting firms use cPanel to run large numbers of small-business, nonprofit and local-government sites, so a flaw in the control panel can cascade across entire fleets of accounts. cPanel later described the problem as an authentication login exploit and said unauthorized logins were occurring to cPanel and WHM, underscoring that the immediate danger was account takeover, not just disruption.

Hosts began adding their own emergency controls. Namecheap said it applied a firewall rule to block TCP ports 2083 and 2087 until a full patch was in place across supported servers. The company framed the issue as an authentication login exploit that could allow unauthorized access to the control panel, a reminder that even a short window of exposure can put customer sites, mailboxes and server settings in attacker hands.

The clock on the vulnerability appears to have started well before the public warning. The Hacker News described the flaw as under active exploitation as a zero-day, and KnownHost chief executive Daniel Pearson said it had been used in the wild for at least the last 30 days, if not longer. That timeline raises hard questions about how long unauthorized access may have been available, and whether vendors and hosting firms moved fast enough to contain a flaw that could ripple through thousands of websites at once.