Security researchers are sounding the alarm over a recently discovered vulnerability in the widely used cPanel and WebHost Manager (WHM) web server management software.
The flaw allows hackers to hijack and take full control of the servers running the affected software, which is believed to be used by tens of millions of website owners around the world.
Many commercial web hosting companies have already patched their customers’ systems. However, the cPanel maker has urged customers to ensure their systems are patched as the bug affects them all supported versions of the software.
cPanel and WHM are two software suites used to manage web servers that host websites, manage email, and handle important configurations and databases needed to maintain an Internet domain. The two suites have deep access to the servers they manage, allowing a malicious hacker potentially unlimited access to data managed by the affected software.
The bug is officially tracked as CVE-2026-41940allows malicious hackers to remotely bypass its login screen to gain full access to the software’s control panel.
Given the ubiquity of cPanel and WHM software in the web hosting industry, hackers could compromise a large number of unpatched websites.
Canada’s national cyber security agency said in a consultation that the bug could be exploited to deface websites on shared hosting servers such as large web hosting companies.
The service said that “exploitation is highly likely” and that immediate action by cPanel customers or their web hosts is necessary to prevent malicious access.
Web hosting giant Namecheap, which uses cPanel to allow its customers to manage their web servers, said the company blocked access to customers’ cPanel panels after learning of the flaw to prevent the exploit and give it time to repair its customers’ systems.
Hostgator said so too patched his systems and reviews the bug as a “critical authentication-bypass exploit”.
A web hosting company says it found evidence that hackers exploited the vulnerability for months before the attempts were discovered.
said KnownHost CEO Daniel Pearson in a Reddit post that his company has seen attempts to exploit the vulnerability as early as February 23. The company he said also briefly began blocking access to client systems before patches were applied.
According to Pearsonabout 30 servers at KnownHost showed signs of unauthorized access from thousands of computers on its network. Pearson likened the efforts to efforts and has seen no signs of active compromise. cPanel said so too a security patch has been released for WP Squared, a similar tool for managing WordPress websites.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
