cPanel/WHM authentication bypass — mass exploitation ongoing (KEV deadline 2026-05-21)

cve · CVE-2026-41940

Coverage timeline

first 2026-05-06 → last 2026-05-06

Briefs

1 distinct

Sources cited

7 hosts

Sections touched

active_vulns

Co-occurring entities

no co-occurrence

Story timeline

2026-05-06CTI Daily Brief — 2026-05-06
active_vulnsFirst coverage. CRLF injection auth bypass in cPanel/WHM; exploited since ~2026-02-23 (two months before patch); ~44,000 hosts likely compromised; Sorry ransomware and AdaptixC2 campaigns; CISA KEV 2026-04-30.

Where this entity is cited

active_vulns1

Source distribution

cyberscoop.com1 (14%)
helpnetsecurity.com1 (14%)
labs.watchtowr.com1 (14%)
panelica.com1 (14%)
rapid7.com1 (14%)
security-hub.ncsc.admin.ch1 (14%)
thehackernews.com1 (14%)

External references

NVD · cve.org · CISA KEV

All cited sources (7)

Items in briefs about cPanel/WHM authentication bypass — mass exploitation ongoing (KEV deadline 2026-05-21)

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.