CVE-2026-41940 PUBLISHED

cPanel and WHM Authentication Bypass via Login Flow

Assigner: VulnCheck
Reserved: 22.04.2026 Published: 29.04.2026 Updated: 30.04.2026

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor cPanel
Product cPanel
Versions Default: unaffected
  • affected from 11.110.0 to 11.110.0.97 (excl.)
  • affected from 11.118.0 to 11.118.0.63 (excl.)
  • affected from 11.126.0 to 11.126.0.54 (excl.)
  • affected from 11.132.0 to 11.132.0.29 (excl.)
  • affected from 11.134.0 to 11.134.0.20 (excl.)
  • affected from 11.136.0 to 11.136.0.5 (excl.)
  • affected from 11.86.0 to 11.86.0.41 (excl.)
  • affected from 11.130.0 to 11.130.0.18 (excl.)
Vendor cPanel
Product WP Squared
Versions Default: unaffected
  • affected from 11.136.1 to 11.136.1.7 (excl.)
Vendor cPanel
Product WHM
Versions Default: affected
  • affected from 11.110.0 to 11.110.0.97 (excl.)
  • affected from 11.118.0 to 11.118.0.63 (excl.)
  • affected from 11.126.0 to 11.126.0.54 (excl.)
  • affected from 11.132.0 to 11.132.0.29 (excl.)
  • affected from 11.134.0 to 11.134.0.20 (excl.)
  • affected from 11.136.0 to 11.136.0.5 (excl.)
  • affected from 11.86.0 to 11.86.0.41 (excl.)
  • affected from 11.130.0 to 11.130.0.18 (excl.)

References

Problem Types

  • CWE-306 Missing Authentication for Critical Function CWE