CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Exposes Hosting Servers to Admin Takeover

**Executive summary:** CVE-2026-41940 is a critical (CVSS 9.8) authentication-bypass in cPanel & WHM that leverages CRLF/session injection to write attacker-controlled attributes (e.g., user=root) into pre-auth session files, enabling unauthenticated administrative access; public PoC/exploit code and reports of active exploitation increase the immediate risk, with roughly 1.5 million exposed cPanel instances cited—administrators should apply vendor patches, restart cpsrvd, run the vendor detection script against /var/cpanel/sessions, purge suspicious sessions, and treat confirmed hits as incidents requiring password resets and log/persistence auditing.