A critical authentication bypass vulnerability in **cPanel**, **WHM**, and **WP Squared**—tracked as **CVE-2026-41940**—is being actively exploited, according to hosting providers and security researchers. Newly published technical details describe the issue as a **CRLF injection** affecting login/session-loading flows, lowering the barrier for attackers to develop functional exploits.

### What we know

Reports indicate exploitation attempts may date back to **February 23, 2026**, even though vendor fixes arrived later. The underlying issue involves improper session handling where user-controlled data from the `Authorization` header can be written into server-side session files before authentication and without sufficient sanitization.

### Why it matters

Successful exploitation could give an attacker control over:

- The cPanel host system

- Configuration and databases

- Websites managed by the server

Internet scans suggest a very large exposure footprint (Rapid7 cites ~**1.5 million** cPanel instances visible online).

### Remediation guidance

- **Patch immediately** to fixed versions listed in the vendor advisory.

- After upgrading, **restart `cpsrvd`** (as recommended by the vendor).

- If patching cannot happen right away, **restrict external access** to ports **2083, 2087, 2095, 2096**, or stop relevant services to reduce exposure.

- Use detection tooling/scripts to check for indicators of compromise, and be prepared to **purge sessions**, **reset credentials**, and **audit logs** if suspicious activity is found.