{"id":2516,"date":"2026-05-03T02:38:30","date_gmt":"2026-05-03T09:38:30","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=2516"},"modified":"2026-05-03T02:38:31","modified_gmt":"2026-05-03T09:38:31","slug":"emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/","title":{"rendered":"Emerging Threat: (CVE-2026-41940) cPanel &#038; WHM Authentication Bypass via CRLF Injection"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"584\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-1280x584.png\" alt=\"\" class=\"wp-image-2517\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-1280x584.png 1280w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-512x234.png 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-768x351.png 768w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-1536x701.png 1536w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940.png 1790w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><figcaption class=\"wp-element-caption\"><em>Sample of assets impacted by cPanel &amp; WHM Authentication Bypass vulnerability, identified by the CyCognito Platform<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">What is CVE-2026-41940?<\/h2>\n\n\n\n<p>CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel and WHM caused by a CRLF (Carriage Return Line Feed) injection in the login and session handling logic. An unauthenticated remote attacker can inject raw <code>\\r\\n<\/code> characters into a malicious basic authorization header, which <code>cpsrvd<\/code> then writes into a session file without sanitization. <\/p>\n\n\n\n<p>By manipulating the <code>whostmgrsession<\/code> cookie to skip the per-session encryption step, the attacker can insert arbitrary properties such as <code>user=root<\/code>, <code>hasroot=1<\/code>, and <code>successful_internal_auth_with_timestamp<\/code> into their own session file. Reloading that session promotes the attacker to a fully authenticated administrator.<\/p>\n\n\n\n<p>The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical). No authentication, privileges, or user interaction are required, and the attack vector is fully network-based against any reachable cPanel or WHM management port.<\/p>\n\n\n\n<p>The practical impact is total compromise of the host. A successful exploit grants administrative control of WHM, which on shared hosting infrastructure means control over every site, database, and email account the server hosts. <\/p>\n\n\n\n<p>CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on May 1, 2026, with a remediation deadline of May 3, 2026 for federal agencies. Hosting provider KnownHost reports evidence that exploitation began as early as February 23, 2026, roughly two months before the public advisory and patch.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What assets are affected by CVE-2026-41940?<\/h2>\n\n\n\n<p>The vulnerability affects all supported versions of cPanel and WHM released after version 11.40, as well as WP Squared, a managed WordPress hosting platform built on cPanel. Patched releases span seven version branches: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 136.1.7. Servers with auto-update disabled or pinned to a specific build will not patch automatically.<\/p>\n\n\n\n<p>In practice, an affected asset is a cPanel or WHM management interface served by the <code>cpsrvd<\/code> daemon on <code>TCP\/2082<\/code>, <code>TCP\/2083<\/code> (cPanel), <code>TCP\/2086<\/code>, <code>TCP\/2087<\/code> (WHM), or <code>TCP\/2095<\/code>, <code>TCP\/2096<\/code> (Webmail). These interfaces are typically reachable over the public internet because shared hosting customers, resellers, and operations teams need browser access to the panel. Public internet scanning data indicates approximately 1.5 million cPanel instances exposed on the open web, with the actual vulnerable population unknown but expected to be the majority of unpatched systems.<\/p>\n\n\n\n<p>The asset profile is consistent across the exposed population: long-running web hosting servers, shared infrastructure operated by hosting providers and resellers, and individual organizations running their own cPanel boxes. Because cPanel is the management plane for a large share of the global hosting market, a single unpatched instance can represent control over hundreds or thousands of downstream sites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What does our data show about exposure patterns?<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"763\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-169-1280x763.png\" alt=\"\" class=\"wp-image-2518\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-169-1280x763.png 1280w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-169-512x305.png 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-169-768x458.png 768w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-169.png 1485w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/figure>\n\n\n\n<p>Exposure in this set is led by Industrials at 25.4% of observed assets, with Consumer Discretionary contributing 16.3% and Communication Services 15.6%. The remaining 42.6% is spread across Health Care, Consumer Staples, Energy, Materials, Financials, Information Technology, and Utilities, with no single sector dominating the tail.<\/p>\n\n\n\n<p>Industrials lead because the sector covers a wide mix of capital goods manufacturers, commercial services firms, and transport operators that historically rely on outsourced web hosting and reseller infrastructure for marketing sites, partner portals, and regional subsidiary properties. <\/p>\n\n\n\n<p>These deployments tend to outlive the projects that created them, accumulate ownership ambiguity, and rarely sit on an active patch cadence. Consumer Discretionary and Communication Services follow a similar pattern, with media properties, hospitality brands, and consumer-facing storefronts often hosted on cPanel-managed servers procured through agencies or local providers.<\/p>\n\n\n\n<p>The cross-sector spread is the more telling signal. cPanel is not concentrated in any one industry because it is the default control panel for a substantial share of the global shared hosting market. That makes the distribution a proxy for which sectors carry the most forgotten or loosely governed web infrastructure. The high share in Others reflects how many of these assets sit outside the primary asset inventory of their owning organization, often discovered only when an external attack surface scan surfaces them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Are fixes available?<\/h2>\n\n\n\n<p>Patches are available. cPanel released fixed versions on April 28, 2026, covering seven supported version branches: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 136.1.7. Operators should run the cPanel update script (<code>\/scripts\/upcp --force<\/code>), confirm the build version after the update, and restart <code>cpsrvd<\/code> to ensure the new code path is loaded.<\/p>\n\n\n\n<p>Servers with auto-update disabled or version pinning will not receive the fix automatically and require manual intervention. CISA&#8217;s KEV entry sets a remediation deadline of May 3, 2026 for federal civilian agencies, and several major hosting providers, including Namecheap, KnownHost, HostPapa, and InMotion, blocked inbound traffic to cPanel ports as a precautionary measure ahead of customer patching.<\/p>\n\n\n\n<p>Operators should verify the patched build directly on each host rather than relying on dashboard reporting, given the staggered rollout across version branches and the existence of pinned environments where automatic updates are disabled.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Are there any other recommended actions to take?<\/h2>\n\n\n\n<p>Until patches are confirmed in place, restrict inbound access to <code>TCP\/2082<\/code>, <code>TCP\/2083<\/code>, <code>TCP\/2086<\/code>, <code>TCP\/2087<\/code>, <code>TCP\/2095<\/code>, and <code>TCP\/2096<\/code> at the network edge or via host firewall to known administrative IPs only. Stop the <code>cpsrvd<\/code> and <code>cpdavd<\/code> services on systems that cannot be patched immediately. <\/p>\n\n\n\n<p>Review <code>\/usr\/local\/cpanel\/logs\/access_log<\/code> and the session directory for unexpected sessions, anomalous login activity, or session files containing injected <code>user=root<\/code> or <code>hasroot=1<\/code> properties. Rotate credentials on any host that was internet-reachable before patching, and run cPanel&#8217;s published indicator-of-compromise script to surface known exploitation artifacts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How can CyCognito help your organization?<\/h2>\n\n\n\n<p>CyCognito published an Emerging Threat Advisory for CVE-2026-41940 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.<\/p>\n\n\n\n<p>To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, <a href=\"https:\/\/www.cycognito.com\/demo\/\">contact us to request a demo<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A critical pre-authentication CRLF injection vulnerability in cPanel and WHM allows unauthenticated remote attackers to inject crafted lines into pre-auth session files and promote themselves to root, granting full administrative control<\/p>\n","protected":false},"author":39,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2516","post","type-post","status-publish","format-standard","hentry","category-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Emerging Threat: (CVE-2026-41940) cPanel &amp; WHM Authentication Bypass via CRLF Injection | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Emerging Threat: (CVE-2026-41940) cPanel &amp; WHM Authentication Bypass via CRLF Injection | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"A critical pre-authentication CRLF injection vulnerability in cPanel and WHM allows unauthenticated remote attackers to inject crafted lines into pre-auth session files and promote themselves to root, granting full administrative control\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-03T09:38:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-03T09:38:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1790\" \/>\n\t<meta property=\"og:image:height\" content=\"817\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Igal Zeifman\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Igal Zeifman\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/\"},\"author\":{\"name\":\"Igal Zeifman\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/79ab10bc35a38aef399f5bbd21d8f1b3\"},\"headline\":\"Emerging Threat: (CVE-2026-41940) cPanel &#038; WHM Authentication Bypass via CRLF Injection\",\"datePublished\":\"2026-05-03T09:38:30+00:00\",\"dateModified\":\"2026-05-03T09:38:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/\"},\"wordCount\":902,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-1280x584.png\",\"articleSection\":[\"Research\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/\",\"name\":\"Emerging Threat: (CVE-2026-41940) cPanel & WHM Authentication Bypass via CRLF Injection | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-1280x584.png\",\"datePublished\":\"2026-05-03T09:38:30+00:00\",\"dateModified\":\"2026-05-03T09:38:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940.png\",\"width\":1790,\"height\":817},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Emerging Threat: (CVE-2026-41940) cPanel &#038; WHM Authentication Bypass via CRLF Injection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/79ab10bc35a38aef399f5bbd21d8f1b3\",\"name\":\"Igal Zeifman\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b4495bcfbe7465d573c6f7ee3e2a3cab?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b4495bcfbe7465d573c6f7ee3e2a3cab?s=96&d=mm&r=g\",\"caption\":\"Igal Zeifman\"},\"description\":\"VP of Marketing\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/igal-zeifman\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Emerging Threat: (CVE-2026-41940) cPanel & WHM Authentication Bypass via CRLF Injection | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/","og_locale":"en_US","og_type":"article","og_title":"Emerging Threat: (CVE-2026-41940) cPanel & WHM Authentication Bypass via CRLF Injection | CyCognito Blog","og_description":"A critical pre-authentication CRLF injection vulnerability in cPanel and WHM allows unauthenticated remote attackers to inject crafted lines into pre-auth session files and promote themselves to root, granting full administrative control","og_url":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/","og_site_name":"CyCognito Blog","article_published_time":"2026-05-03T09:38:30+00:00","article_modified_time":"2026-05-03T09:38:31+00:00","og_image":[{"width":1790,"height":817,"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940.png","type":"image\/png"}],"author":"Igal Zeifman","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Igal Zeifman","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/"},"author":{"name":"Igal Zeifman","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/79ab10bc35a38aef399f5bbd21d8f1b3"},"headline":"Emerging Threat: (CVE-2026-41940) cPanel &#038; WHM Authentication Bypass via CRLF Injection","datePublished":"2026-05-03T09:38:30+00:00","dateModified":"2026-05-03T09:38:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/"},"wordCount":902,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-1280x584.png","articleSection":["Research"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/","url":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/","name":"Emerging Threat: (CVE-2026-41940) cPanel & WHM Authentication Bypass via CRLF Injection | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940-1280x584.png","datePublished":"2026-05-03T09:38:30+00:00","dateModified":"2026-05-03T09:38:31+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CVE-2026-41940.png","width":1790,"height":817},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-41940-cpanel-whm-authentication-bypass-via-crlf-injection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Emerging Threat: (CVE-2026-41940) cPanel &#038; WHM Authentication Bypass via CRLF Injection"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/79ab10bc35a38aef399f5bbd21d8f1b3","name":"Igal Zeifman","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b4495bcfbe7465d573c6f7ee3e2a3cab?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b4495bcfbe7465d573c6f7ee3e2a3cab?s=96&d=mm&r=g","caption":"Igal Zeifman"},"description":"VP of Marketing","url":"https:\/\/www.cycognito.com\/blog\/author\/igal-zeifman\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/2516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=2516"}],"version-history":[{"count":1,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/2516\/revisions"}],"predecessor-version":[{"id":2519,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/2516\/revisions\/2519"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=2516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=2516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=2516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}