cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCpanel
APPCpanel11.40 – 86.0.41 (bez)88.0.0 – 110.0.97 (bez)112.0.0 – 118.0.63 (bez)120.0.0 – 124.0.35 (bez)126.0.1 – 126.0.54 (bez)128.0.0 – 130.0.19 (bez)132.0.0 – 132.0.29 (bez)134.0.0 – 134.0.20 (bez)136.0.0 – 136.0.5 (bez)Cpanel Whm
APPCpanel11.40 – 86.0.41 (bez)88.0.0 – 110.0.97 (bez)112.0.0 – 118.0.63 (bez)120.0.0 – 124.0.35 (bez)126.0.1 – 126.0.54 (bez)128.0.0 – 130.0.19 (bez)132.0.0 – 132.0.29 (bez)134.0.0 – 134.0.20 (bez)136.0.0 – 136.0.5 (bez)Cpanel Wp Squared
APPCpanel< 136.1.7
CISA KEV — detailsi
- Vendori
- WebPros ↗
- Producti
- cPanel & WHM and WP2 (WordPress Squared)
- Added to KEVi
- April 30, 2026
- Remediation deadline (US Federal)i
- May 3, 2026(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Related vulnerabilities
In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).
In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).
cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).
chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).
cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).