CRITICALCVE-2026-41940Published Modified CNA VulnCheck
CVE-2026-41940: WebPros cPanel and WHM Authentication Bypass via Login Flow
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 11.86.0.41
- Affected Products
- 3
Fix available
11.86.0.4111.94.0.2811.102.0.3911.110.0.9711.118.0.6311.124.0.3511.126.0.5411.130.0.1911.132.0.2911.134.0.2011.136.0.511.136.1.7
Patch commits
Affected packages
- WebPros / cPanel< 11.86.0.41 (from 11.40.0.0) · < 11.94.0.28 (from 11.88.0.0) · < 11.102.0.39 (from 11.96.0.0) · < 11.110.0.97 (from 11.104.0.0) · < 11.118.0.63 (from 11.112.0.0) · < 11.124.0.35 (from 11.120.0.0)
- WebPros / WP SquaredFixed in 11.136.1.7
- WebPros / WHM< 11.86.0.41 (from 11.40.0.0) · < 11.94.0.28 (from 11.88.0.0) · < 11.102.0.39 (from 11.96.0.0) · < 11.110.0.97 (from 11.104.0.0) · < 11.118.0.63 (from 11.112.0.0) · < 11.124.0.35 (from 11.120.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N