cPanel’s authentication bypass bug is being exploited in the wild, CISA warns

A critical authentication bypass (CVE-2026-41940) in cPanel/WHM and WP Squared is being actively exploited; attackers can inject newline characters into password fields to poison session files and achieve authenticated sessions without valid credentials. cPanel released patches across multiple branches and detection scripts, vendors like Namecheap temporarily blocked cPanel ports and applied fixes, and security firms report widespread exposure (Rapid7/Shodan ~1.5M instances) and confirmed exploitation prior to availability of the patch. The flaw carries a CVSS score of 9.8 and the CISA added the CVE to its Known Exploited Vulnerabilities list.