Anonymousabout 3 hours ago
A critical authentication bypass vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel & WHM — the control panel software managing an estimated 70 million web domains — was exploited as a zero-day for at least two months before a patch was released on April 28, 2026. The flaw allows unauthenticated attackers to gain root-level access to hosting servers through a simple CRLF injection in the login process, and CISA has added it to its Known Exploited Vulnerabilities catalog as active exploitation campaigns deploy botnets and cryptominers on compromised systems.