Get all your news in one place.
100's of premium titles.
One app.
Start reading
TechRadar
TechRadar
Benedict Collins

'The Internet is falling down': Critical cPanel CRLF injection vulnerability puts tens of millions of websites at risk of total compromise – hosting providers urged to apply CVE-2026-41940 patch immediately

Internet
An image showing the administrator panel of a server rack that is urgently applying a patch to a critical vulnerability.
  • New critical severity vulnerability allows for authentication bypass
  • The vulnerability affects cPanel and WebHost Manager
  • Attackers can gain full root administrator privileges over any server

Researchers at watchTowr Labs have dissected a critical authentication bypass in cPanel and Web Host Manager (WHM) that allows remote attackers to gain full admin access over servers upon which much of the internet relies.

The vulnerability, tracked as CVE-2026-41940 and given a near-top severity score of 9.8, has been exploited in the wild, as confirmed by KnownHost.

A patch for the vulnerability has been released and administrators are urged to apply the patch immediately.

Administrators urged to update immediately

For those not aware, cPanel is a layer of software that essentially acts as the control panel for a website. Rather than using code, cPanel is the button that allows you to update some text or upload a file onto a website. cPanel is also where the layout and data of your website is stored. WHM on the other hand is what handles every website at the server level.

The crux of the vulnerability lies in the attacker forging an authenticated session without requiring a password. This provides the attacker with root level access to WHM, and therefore access to every website, database, and user account hosted on that particular server.

From here, there are many options for an attacker. They could steal all of your website and user data, upload malware - or they could simply delete everything on the server.

As explained by watchTowr Labs (in their characteristic quirky format), the exploit relies on the attacker using CRLF (Carriage Return Line Feed) to inject a new line of code into the cPanel Logbook that bypasses session file encryption and establishes the attacker as the root administrator, giving the attacker access to the WHM admin panel and therefore access to the server. (If you want an even more technical breakdown, see the watchTowr Labs report).

The patch for the vulnerability has also added a new ‘sanitization’ function that scrubs any data you send to the server, preventing new lines of code from being snuck in.

For administrators, cPanel recommends updating to the following versions:

  • cPanel & WHM 110.0.x - patched in 11.110.0.97 (was 11.110.0.96)
  • cPanel & WHM 118.0.x - patched in 11.118.0.63 (was 11.118.0.61)
  • cPanel & WHM 126.0.x - patched in 11.126.0.54 (was 11.126.0.53)
  • cPanel & WHM 132.0.x - patched in 11.132.0.29 (was 11.132.0.27)
  • cPanel & WHM 134.0.x - patched in 11.134.0.20 (was 11.134.0.19)
  • cPanel & WHM 136.0.x - patched in 11.136.0.5 (was 11.136.0.4)
Sign up to read this article
Read news from 100's of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Bonnie Blue Triggered 'Pregnant' Drinking Backlash to Fuel Insane £1M Rage-Bait Scam
Adult creator Bonnie Blue faces backlash after nightclub footage and her admitted fake‑pregnancy 'rage bait' stunts, which she claims earned her about £1 million.
International Business Times UK
International Business Times UK
Demi Moore Allegedly 'Checked Into Rehab' After Fulfilling Her Promise to Never Leave Bruce Willis Alone
Demi Moore maintains a close bond with ex-husband Bruce Willis amid his dementia battle, despite false rumours of her overstepping boundaries in his care.
International Business Times UK
International Business Times UK
Sylvester Stallone marks 29 years of marriage to Jennifer Flavin
Nearly three years after the couple briefly split and appeared headed for divorce, Sylvester Stallone has marked 29 years of marriage to Jennifer Flavin with a heartfelt social media tribute.
BANG Premier
BANG Premier
‘It just kept getting worse and worse’: South Carolina family showed up to their Florida Airbnb and only managed to stay there for three hours
Not even worthy of a 1-star review.
We Got This Covered
We Got This Covered
‘This should not be legal’: Iowa man never tips at his regular restaurant. Then he opens his receipt and finds an $11 surprise
The hottest U.S. culture debate reignites.
We Got This Covered
We Got This Covered
Teens are drinking less than their parents’ generation – but it may not be a good thing
Loneliness, worries over body image and slimmed budgets are among the factors said to be driving Gen Z to away from drinking
The Independent UK
The Independent UK
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.
Download on the AppStore Get it on Google Play