cPanel has released an emergency security update to address CVE-2026-41940, a Critical vulnerability with a CVSS score of 9.8. This flaw allows an unauthenticated remote attacker to bypass the login flow and gain direct access to cPanel/WHM interfaces exposed to the internet — without any prior privileges or user interaction — potentially leading to full compromise of the hosting environment. Active exploitation in the wild was confirmed prior to the release of the official patch.

The vulnerability affects servers running unpatched versions of cPanel/WHM, particularly when external access is enabled on the following ports: 2083 (cPanel) · 2087 (WHM) · 2095/2096 (Webmail).

According to the official cPanel advisory, the vulnerability affects all currently supported versions of cPanel/WHM, including DNSOnly. Emergency security updates have been released for the following tracks:

11.110.0.97  |  11.118.0.63  |  11.126.0.54  |  11.132.0.29  |  11.134.0.20  |  11.136.0.5

The update also includes WP Squared 136.1.7.

IQ Hosting Service Status

For IQ Hosting clients using our fully managed cPanel/WHM services, the emergency security update has already been applied and the vulnerability has been remediated across all managed servers.

No action is required from managed clients at this time.

For any unmanaged or independently administered cPanel/WHM servers, the security update must be applied immediately via SSH:

/scripts/upcp --force

Verify the cPanel version after the update completes:

/usr/local/cpanel/cpanel -V

Restart the cPanel service:

/scripts/restartsrv_cpsrvd

For full details, refer to the official cPanel security advisory.

IQ Hosting continuously monitors security updates across all hosting and server services, applying necessary remediations to managed infrastructure to ensure the highest levels of security and stability.

Best regards,
IQ Hosting Team