CVE-2026-41940

Summary

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Affected Software

VendorProductVersion RangeStatus
WebProscPanel11.40.0.0 < 11.86.0.41affected
WebProscPanel11.88.0.0 < 11.94.0.28affected
WebProscPanel11.96.0.0 < 11.102.0.39affected
WebProscPanel11.104.0.0 < 11.110.0.97affected
WebProscPanel11.112.0.0 < 11.118.0.63affected
WebProscPanel11.120.0.0 < 11.124.0.35affected
WebProscPanel11.126.0.0 < 11.126.0.54affected
WebProscPanel11.128.0.0 < 11.130.0.19affected
WebProscPanel11.132.0.0 < 11.132.0.29affected
WebProscPanel11.134.0.0 < 11.134.0.20affected
WebProscPanel11.136.0.0 < 11.136.0.5affected
WebProsWP Squared11.136.1.7unaffected
WebProsWHM11.40.0.0 < 11.86.0.41affected
WebProsWHM11.88.0.0 < 11.94.0.28affected
WebProsWHM11.96.0.0 < 11.102.0.39affected
WebProsWHM11.104.0.0 < 11.110.0.97affected
WebProsWHM11.112.0.0 < 11.118.0.63affected
WebProsWHM11.120.0.0 < 11.124.0.35affected
WebProsWHM11.126.0.0 < 11.126.0.54affected
WebProsWHM11.128.0.0 < 11.130.0.19affected
WebProsWHM11.132.0.0 < 11.132.0.29affected
WebProsWHM11.134.0.0 < 11.134.0.20affected
WebProsWHM11.136.0.0 < 11.136.0.5affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

CVE Program Container

Additional References

References