The web server and management software cPanel and WebHost Manager (WHM) are once again vulnerable. In the worst case, malicious code can get onto systems and compromise them. Admins should install the protected editions promptly.
Read more after the ad
The developers recently warned of a “critical” security vulnerability (CVE-2026-41940) that could allow attackers to access the control panel without logging in. Attackers are already exploiting this gap, and more than 4,000 instances have already been attacked in Germany.
Close vulnerabilities
The three new vulnerabilities (CVE-2026-29202 “hoch“, CVE-2026-292203 „hoch“, CVE-2026-29201 „medium“) are listed in the security area of the cPanel website. In the first case, user input is viewed in the context of the create_userPlug-ins are not sufficiently verified, allowing attackers to push and execute malicious code on systems in the name of an already authenticated user.
The second vulnerability allows attackers to trigger DoS conditions and thus crashes due to insecure processing of symlinks or securely grant higher user rights. In the third case, unauthorized file access is conceivable. How these attacks could actually take place is still unclear.
The software developer has not yet issued any warnings about the new vulnerabilities about attacks that are already underway. However, admins should not wait too long and install the security updates that are available for download. These versions of cPanel, WHM and WP Squared are protected against the attacks described:
- 11.136.0.9
- 11.134.0.25
- 11.132.0.31
- 11.130.0.22
- 11.126.0.58
- 11.124.0.37
- 11.118.0.66
- 11.110.0.116
- 11.110.0.117
- 11.102.0.41
- 11.94.0.30
- 11.86.0.43
- 11.136.1.10 (WP Squared)
(of the)
