Critical cPanel Vulnerability (CVE-2026-41940) A Statement from Caystard Group

On April 28, 2026, cPanel publicly disclosed a critical security vulnerability tracked as CVE-2026-41940, affecting all supported versions of cPanel and WHM. The National Vulnerability Database (NVD) classifies this as an authentication bypass in the login flow, carrying a CVSS score of 9.8 out of 10, the highest severity rating category.

The flaw allowed unauthenticated remote attackers to gain full administrative access to any exposed cPanel or WHM server without valid credentials, by manipulating session cookies through a CRLF injection attack against the cPanel service daemon (cpsrvd).

What makes this especially serious: evidence confirms that attackers had been exploiting this vulnerability in the wild since at least February 23, 2026 more than two months before public disclosure. This was a zero-day, actively weaponized against hosting infrastructure around the world before any patch existed.

This Is an Industry-Wide Crisis

This vulnerability struck the global hosting industry broadly. Major providers were forced to take emergency action. Namecheap, KnownHost, InMotion Hosting, HostPapa, and hosting.com were among those that immediately firewalled their own customers off their cPanel and WHM interfaces to prevent mass compromise.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, with federal agencies required to patch by May 3, 2026. The Shadowserver Foundation reported over 44,000 unique IPs actively scanning or running exploits, with approximately 650,000 exposed cPanel/WHM instances reachable on the public internet.

This is one of the most severe incidents to hit the web hosting industry in recent years.

How It Affected Our Clients

A small number of client accounts across Caystard Cloud, Hostylla, and Host44 were affected. We have identified the impacted accounts and are in direct contact with each of them.

We are currently applying the official security patches released by cPanel and CloudLinux across all our platforms. Once patching is complete on your server, no further action is required on your end unless you hear from us directly.

Our Response (What We Have Done)

• April 28, 2026 - Immediate containment: Upon learning of the vulnerability, we firewalled public access to TCP ports 2083 (cPanel) and 2087 (WHM) across affected infrastructure to cut off the attack vector.

• April 28–29, 2026 - Emergency patching: All servers were force-updated to the patched cPanel and WHM releases (11.136.0.5 and above across applicable branches, and WP Squared 136.1.7).

• April 29 – May 1, 2026 - Investigation: Our team reviewed access logs and server activity across affected accounts to determine the scope of impact.

• Ongoing - Client notification and hardening: We are contacting impacted clients directly. We are restricting WHM access to trusted IP addresses by default, enforcing two-factor authentication on all administrative interfaces, and reviewing firewall posture across all three platforms.

Recommended Actions for All Clients

While we are handling the patching on our end, we recommend the following as good security practice for all clients on our platforms:

1. Change your cPanel password. Log in and update to a strong, unique password. Do not reuse any previous credential.

2. Rotate your database passwords. If your site connects to a MySQL/MariaDB database, update those credentials and reflect the change in your application’s configuration file.

3. Audit your files. Check for recently modified PHP files, unexpected scripts in /tmp or your web root, and any unfamiliar additions to your site directories.

4. Review your email accounts. Check for unexpected forwarding rules attackers commonly add silent forwarding to retain access after a compromise.

5. Enable two-factor authentication. If not already active, enable 2FA on your cPanel account under Security → Two-Factor Authentication.

If you need assistance, open a support ticket with your respective platform and reference CVE-2026-41940 in the subject line. Our teams are prioritizing these requests.

Our Commitment Going Forward

We are deeply sorry this has happened. While CVE-2026-41940 originated from a flaw in third-party software and struck the hosting industry globally, that does not reduce our responsibility to the clients who rely on us.

In the coming weeks, we will publish a full post-incident review covering what we found, what we are changing in our infrastructure and processes, and what additional protections we are putting in place across all Caystard Group platforms.

We owe our clients honesty, and we will continue to update this page as our investigation develops.