cPanel released a patch for a WebHost Manager (WHM) authentication bypass bug

**TL;DR:** cPanel disclosed a critical authentication-bypass vulnerability in WHM on April 28, 2026 that affects nearly all known versions (including EOL releases); exploits were seen in the wild before patches were released, and administrators should update immediately as root or confirm their hosting provider has applied the fixes and review server access logs for suspicious activity.