Hackers Are Exploiting Critical cPanel Bug, Putting Millions of Websites at Risk

Web hosting providers are racing to secure their infrastructure after security researchers disclosed a serious vulnerability in cPanel and WebHost Manager (WHM), the widely used server management tools that power tens of millions of websites.

The flaw, tracked as CVE-2026-41940, allows hackers to remotely bypass the login page and gain full access to the software’s administration panel. Because cPanel and WHM sit at the heart of many hosting environments, successful exploitation can effectively hand over complete control of affected servers.

cPanel and WHM are software suites used by hosting companies and administrators to manage web servers, websites, email, databases and key configuration settings. By design, they have deep access to the underlying systems they control, making them particularly sensitive points of failure when bugs are discovered.

According to the details shared so far, the CVE-2026-41940 vulnerability affects all supported versions of cPanel. The company behind cPanel has urged customers to ensure their systems are updated, and many commercial web hosts have already pushed patches to customer environments.

Because the bug lets an attacker bypass authentication and reach the administration interface directly, a successful exploit could provide unrestricted access to the data and services hosted on vulnerable servers. Given how widely cPanel and WHM are deployed across the web hosting industry, unpatched systems could expose large numbers of websites to compromise.

Canada’s national cybersecurity agency, in an advisory about the flaw, warned that the vulnerability could be used to compromise websites on shared hosting servers, such as those run by major hosting providers. The agency said “exploitation is highly probable” and called for immediate action by cPanel customers or their hosting providers to prevent malicious access.

Several big-name web hosting companies have already taken visible steps in response to the vulnerability.

• Namecheap, which uses cPanel to let its customers manage their web servers, said it temporarily blocked access to customers’ cPanel panels after learning of the flaw. The move was intended to prevent exploitation while the company patched its customers’ systems.
• HostGator confirmed that it has patched its systems and is treating the vulnerability as a “critical authentication-bypass exploit.”

One hosting provider says it has seen signs that attackers have been probing this weakness for some time. KnownHost CEO Daniel Pearson wrote in a Reddit post that the company observed attempts to exploit the vulnerability as early as February 23. In response, KnownHost briefly blocked access to customer systems while it applied patches.

Pearson said about 30 servers in KnownHost’s fleet showed signs of unauthorized attempted access, out of thousands of machines on its network. He likened what the company saw to attempts rather than confirmed takeovers, and said they have not found evidence of active compromise. The activity suggests, however, that at least some hackers were aware of and trying to exploit the bug months before the current wave of attention.

Alongside fixing the main cPanel and WHM issue, cPanel also rolled out a security fix for WP Squared, a related tool used for managing WordPress websites.

For website owners, the immediate priority is to confirm whether their hosting provider has deployed the relevant patches, or, for self-managed servers, to apply updates directly. Given the ability of this bug to bypass the login screen altogether, simply changing passwords or tightening user access is not enough on its own.

Update: This story will be updated as more hosting providers disclose their status and additional technical details about CVE-2026-41940 become public.