Actively exploited cPanel bug exposes millions of websites to takeover

A critical authentication-bypass vulnerability (CVE-2026-41940) in cPanel/WHM is being actively exploited in the wild; CISA added it to its Known Exploited Vulnerabilities catalog, cPanel released patches on April 28, 2026, and major hosting providers temporarily blocked cPanel interfaces while addressing exploit attempts that date back to late February 2026.