Security experts are raising concerns about a new vulnerability in the popular web server management software cPanel and WebHost Manager (WHM). The flaw allows hackers to gain full control of servers using the affected software, which is believed to be utilized by millions of website owners globally.
Numerous web hosting companies have already patched their customer systems, but the cPanel developer urged users to ensure their systems are updated, as the bug impacts all supported software versions.
cPanel and WHM manage web servers that host sites, handle emails, and manage critical configurations and databases for internet domains. These suites have deep server access, potentially giving hackers unrestricted access to data.
The vulnerability, identified as CVE-2026-41940, permits hackers to remotely bypass the login screen and access the administration panel.
Given the extensive use of cPanel and WHM, unpatched systems could lead to widespread website compromises. Canada’s cybersecurity agency warned the bug could exploit shared hosting servers, posing a high risk of compromise, urging swift action from users and hosts to block unauthorized access.
Namecheap, a major web host using cPanel, temporarily blocked customer access to cPanel to prevent exploitation and allow system updates. Hostgator also patched its systems and labeled the bug a critical exploit.
Evidence suggests hackers exploited the vulnerability months before detection, with KnownHost CEO Daniel Pearson indicating attempts since February 23. KnownHost temporarily blocked access to implement patches, noting unauthorized attempts on 30 servers. cPanel has also issued a security update for WP Squared, a WordPress management tool.