Pentest-Tools.com has released a free scanner for CVE-2026-41940, a CVSS 9.8 critical authentication bypass in cPanel & WHM and WP Squared that has been actively exploited since at least February 2026. The flaw exploits a CRLF injection in cpsrvd, allowing unauthenticated attackers to bypass login entirely by manipulating the whostmgrsession cookie. With roughly 1.5 million cPanel/WHM interfaces exposed on the internet, the blast radius is large — a single compromised server can expose all hosted accounts. A patch was released April 28, 2026; Cloudflare deployed an emergency WAF rule on April 30. The scanner goes beyond version checks by sending a crafted payload and evaluating the server's actual response. Recommended mitigations include patching, restricting ports 2082/2083/2086/2087 to trusted IPs, and monitoring access logs for suspiciously fast authentication.
Sort: