Cybersecurity experts are raising concerns about a newly identified vulnerability in the widely utilized web server management software cPanel and WebHost Manager (WHM). 

This flaw enables cybercriminals to seize control and gain complete dominion over the servers that operate the impacted software, which is believed to be employed by millions of website operators globally.

Numerous commercial web hosting providers have already updated their customers’ systems. However, the creator of cPanel has encouraged users to verify that their systems are updated, as the vulnerability is present in all supported software versions.

cPanel and WHM are two applications designed for overseeing web servers that host websites, manage emails, and take care of essential configurations and databases necessary for sustaining an online domain. These suites have extensive access to the servers they control, potentially allowing a malicious actor unrestricted entry to data managed via the affected software.

The vulnerability, officially noted as CVE-2026-41940, permits malicious individuals to remotely bypass its login interface to attain full entry to the software’s admin panel. 

Considering the widespread application of cPanel and WHM across the web hosting sector, hackers could endanger potentially vast quantities of websites still unaddressed regarding this vulnerability.

Canada’s national cybersecurity agency advised that the vulnerability could be exploited to compromise websites on shared hosting platforms, such as major web hosting service providers.

The agency indicated that “exploitation is highly probable” and that prompt measures from cPanel users, or their web hosting services, are essential to avert unauthorized access.

Web hosting leader Namecheap, which utilizes cPanel for facilitating its customers’ server management, stated that they restricted access to customers’ cPanel interfaces upon discovering the vulnerability to prevent exploitation, while allowing time to patch their clients’ systems. 

HostGator also announced it has addressed its systems and regards the flaw as a “critical authentication-bypass exploit.”

One web hosting provider reported uncovering evidence that hackers have been exploiting the vulnerability for several months prior to its detection.

KnownHost CEO Daniel Pearson shared in a Reddit post that his company recorded attempts to leverage the flaw dating back to February 23. The company briefly began restricting access to customer systems before implementing patches.

Pearson noted that around 30 servers at KnownHost indicated signs of unauthorized access attempts out of the thousands of machines on its network. He compared the efforts to probing attempts, and has not observed indications of active compromise. cPanel also mentioned deploying a security patch for WP Squared, a similar tool for managing WordPress websites.