cPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203

cPanel / WHM saw two emergency Targeted Security Releases inside ten days, with the second arriving against a fleet that had not yet recovered from the first. CVE-2026-41940 (CRLF cookie-forge unauthenticated bypass) drove mass exploitation from approximately 2026-02-23 through the emergency patch on 2026-04-28 — roughly two months of zero-day exposure during which Shadowserver telemetry estimated ~44,000 IP addresses likely compromised; multiple distinct threat-actor campaigns deployed payloads, including a "Sorry" Go-based Linux encryptor and AdaptixC2 against government and military entities (watchTowr Labs · Rapid7 ETR · Help Net Security, 2026-05-04 · daily 2026-05-06 first coverage). The second TSR landed 2026-05-08 with three CVEs initially under responsible-disclosure embargo (and dropped from § 3 of the daily that day for that reason); the embargo lifted 2026-05-09 with technical analyses from The Hacker News and Panelica (daily 2026-05-09, daily 2026-05-10 UPDATE).

The compounding pattern is what makes this a multi-day-chain entry: cPanel hosts that recovered from the ~February–April CVE-2026-41940 wave now face fresh primitives — CVE-2026-29202 (CVSS 8.8) is post-auth Perl execution in the create_user API (any authenticated cPanel user with API access can inject and execute arbitrary Perl code in their system account context); CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse for privilege escalation or denial of service; CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure (The Hacker News, 2026-05-09 · NCSC-CH 12550, 2026-05-08 · Panelica, 2026-05-08). An attacker who used CVE-2026-41940 to obtain unauthenticated cPanel access can pivot to CVE-2026-29202 to escalate privilege or persist inside the same compromised host. No confirmed in-the-wild exploitation of the second batch at week-end, but the population of unpatched hosts overlaps materially with the recovering CVE-2026-41940 fleet. Patch path: cPanel/WHM patched builds 11.136.0.9+, 11.134.0.25+, 11.132.0.31+; operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually. European hosting providers and MSPs serving public-sector clients remain the structural exposure concentration.