cPanel/WHM emergency patch closes 9.8-severity auth bypass in hosting control panels

WebPros has shipped an out-of-band fix for CVE-2026-41940, a 9.8-rated authentication bypass in cPanel and WHM that lets attackers reach the control panel without credentials. Technical details are being held back, but the severity prompted Namecheap to firewall ports 2083 and 2087 across its fleet before patches landed — a strong signal the bug is straightforwardly exploitable. Patched builds are 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5; admins must run /scripts/upcp —force to pull them, since the normal update path may report the system as already current.

Blast radius is the story. cPanel access hands an attacker the full hosting account — sites, mail, databases, config files — making it trivial to drop web shells, harvest credentials, or pivot phishing infrastructure. WHM compromise is worse: full server control, account creation and deletion, and persistence suitable for proxying, spam, or botnet use. Hosts running unsupported cPanel versions get no patch and need to upgrade branches outright.

The pattern is familiar — a pre-auth flaw in software that sits at the perimeter of a huge slice of the shared-hosting ecosystem, with a manual update step that a meaningful fraction of operators will skip. Mass scanning for unpatched 2083/2087 endpoints should be assumed already in progress.