Federal agencies must patch cPanel bug by Sunday, CISA says

CISA ordered federal agencies to patch CVE-2026-41940, a critical (CVSS 9.8) vulnerability in cPanel & WHM that can grant attackers full control of hosts, configurations, and managed websites. The bug is being actively exploited in the wild with evidence of exploitation since February, many internet-exposed instances may be vulnerable, vendors released detection and mitigation tools, and major hosting providers have taken emergency protective actions.