‘The Internet is falling down’: Critical cPanel CRLF injection vulnerability puts tens of millions of websites at risk of total compromise – hosting providers urged to apply CVE-2026-41940 patch immediately

New critical severity vulnerability allows for authentication bypass
The vulnerability affects cPanel and WebHost Manager
Attackers can gain full root administrator privileges over any server

Researchers at watchTowr Labs have dissected a critical authentication bypass in cPanel and Web Host Manager (WHM) that allows remote attackers to gain full admin access over servers upon which much of the internet relies.

The vulnerability, tracked as CVE-2026-41940 and given a near-top severity score of 9.8, has been exploited in the wild, as confirmed by KnownHost.

For those not aware, cPanel is a layer of software that essentially acts as the control panel for a website. Rather than using code, cPanel is the button that allows you to update some text or upload a file onto a website. cPanel is also where the layout and data of your website is stored. WHM on the other hand is what handles every website at the server level.

The crux of the vulnerability lies in the attacker forging an authenticated session without requiring a password. This provides the attacker with root level access to WHM, and therefore access to every website, database, and user account hosted on that particular server.

From here, there are many options for an attacker. They could steal all of your website and user data, upload malware – or they could simply delete everything on the server.

As explained by watchTowr Labs (in their characteristic quirky format), the exploit relies on the attacker using CRLF (Carriage Return Line Feed) to inject a new line of code into the cPanel Logbook that bypasses session file encryption and establishes the attacker as the root administrator, giving the attacker access to the WHM admin panel and therefore access to the server. (If you want an even more technical breakdown, see the watchTowr Labs report).

The patch for the vulnerability has also added a new ‘sanitization’ function that scrubs any data you send to the server, preventing new lines of code from being snuck in.

For administrators, cPanel recommends updating to the following versions:

cPanel & WHM 110.0.x – patched in 11.110.0.97 (was 11.110.0.96)
cPanel & WHM 118.0.x – patched in 11.118.0.63 (was 11.118.0.61)
cPanel & WHM 126.0.x – patched in 11.126.0.54 (was 11.126.0.53)
cPanel & WHM 132.0.x – patched in 11.132.0.29 (was 11.132.0.27)
cPanel & WHM 134.0.x – patched in 11.134.0.20 (was 11.134.0.19)
cPanel & WHM 136.0.x – patched in 11.136.0.5 (was 11.136.0.4)

The best antivirus for all budgets

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

https://cdn.mos.cms.futurecdn.net/oBKjbRrwVPMjCaSZUkq4Mc-2560-80.png

Source link
benedict.collins@futurenet.com (Benedict Collins)

ICYMI: the 8 biggest tech stories of the week, from new Moto foldables to electric air taxis

‘No other smartwatch has this feature’: the Apple Watch’s most innovative running feature is one you’ve probably never used

The Garmin Venu 4 is your ‘do-it-all companion’ and our favourite smartwatch from the manufacturer — get it now for a record-low price

Apple Mac Studio M2 vs iMac M4: Which is the one for you?

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Is the Bluemercury Spring Makeup Edit Worth It? Full Breakdown

The Last Of Us Part 3 Graphics Already Has Gamers Seriously Excited

This ’90s Horror Gem Is Back and Taking Over Free Streaming 28 Years Later

GameStop Wants to Buy eBay

Trump picked a fight with the Pope: The one person he can’t fire, can’t outbid, and can’t outlast

Most Viewed Business News Articles, Top News Articles

Fighting reaches outskirts of Ukraine’s stronghold Kostiantynivka

Trump picked a fight with the Pope: The one person he can’t fire, can’t outbid, and can’t outlast

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

‘The Internet is falling down’: Critical cPanel CRLF injection vulnerability puts tens of millions of websites at risk of total compromise – hosting providers urged to apply CVE-2026-41940 patch immediately

Is the Bluemercury Spring Makeup Edit Worth It? Full Breakdown

Trump picked a fight with the Pope: The one person he can’t fire, can’t outbid, and can’t outlast

The Last Of Us Part 3 Graphics Already Has Gamers Seriously Excited

Most Viewed Business News Articles, Top News Articles

Leave a reply Cancel reply