Security researchers are ringing the alarm bells - and not the fun, party kind - over a freshly discovered vulnerability in cPanel and WebHost Manager (WHM), the web server management software that powers roughly a gazillion websites (okay, tens of millions). The bug, officially tracked as CVE-2026-41940, lets hackers waltz right past the login screen and seize full control of affected servers, like a digital version of leaving your front door unlocked with a neon "free stuff" sign.
cPanel and WHM are the unsung heroes of web hosting, handling everything from site configurations to email management to database upkeep - basically, the digital plumbing that keeps internet domains from flooding. Since these suites have deep, unrestricted access to the servers they manage, a successful hack means attackers can rummage through all the data like a nosy neighbor at a garage sale.
Many commercial web hosting companies have already patched their customers' systems, but cPanel's maker is urging everyone to double-check, because the bug affects all supported versions. Yes, all of them. Canada's national cybersecurity agency chimed in with an advisory that exploitation is "highly probable," which is government-speak for "stop scrolling and patch this now."
Web hosting giant Namecheap, which uses cPanel for its customers, blocked access to cPanel panels upon learning of the flaw - like a bouncer shutting down the VIP lounge before the party gets trashed. Hostgator also patched its systems, calling the bug a "critical authentication-bypass exploit," which sounds terrifying and is.
One web hosting company, KnownHost, found evidence that hackers have been abusing the vulnerability since February 23 - that's months of uninvited guests lurking in the digital shadows. CEO Daniel Pearson took to Reddit to share that about 30 of KnownHost's servers showed signs of attempted unauthorized access, though no active compromises were confirmed. He compared the efforts to attempts, which is reassuring in the same way a half-open window is.
cPanel also rolled out a security fix for WP Squared, a similar tool for managing WordPress sites, because apparently this week's theme is "patch everything." If you're using cPanel, maybe check with your web host - or just assume they've got it handled and hope for the best.