CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

https://notcve.org/view.php?id=CVE-2026-41940

29 Apr 2026 — cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. • https://docs.cpanel.net/release-notes/release-notes • CWE-306: Missing Authentication for Critical Function •