On April 28, 2026, cPanel pushed an emergency security update for what it described as a vulnerability affecting "various authentication paths" across all currently supported versions of cPanel and WHM (Web Host Manager — the server-level admin interface that controls virtually everything on a shared hosting server).
The advisory was clinical and brief. What it didn't say was that attackers were already inside.
KnownHost, one of the first providers to publicly respond, confirmed that "successful exploits were seen in the wild" before the patch was released — and cPanel itself characterised the issue as an "industry-wide problem." Webhosting
The flaw lies in a session-loading and saving mechanism (internally tracked as CPANEL-52908) — in plain terms, an attacker could walk through cPanel's front door without ever needing a password. WHM provides root-level access to servers, allowing control over email routing, databases, SSL certificates, and every hosted account sitting beneath it. A single compromised WHM instance doesn't just endanger one website — it endangers every site on that server.
A web hosting and domain registration company, Namecheap, disclosed that it "relates to an authentication login exploit that could allow unauthorised access to the control panel."
Hosting providers, including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion Hosting, all blocked cPanel ports at the network level while waiting for the patch. cPanel released a fix roughly 2–3 hours after the public advisory, with full deployment across major providers taking 6–7 hours.
The numbers make the stakes clear. With over 70 million domains relying on cPanel, the flaw dramatically expanded the attack surface, potentially enabling mass website defacement, data exfiltration, and server compromise across the hosting supply chain.
But the timeline raises harder questions. An industry source told webhosting.today that the vulnerability had been reported to cPanel approximately two weeks before the April 28 public advisory, and that cPanel's initial response was that nothing was wrong.
Hosting.com's incident communications described the issue as having been "responsibly disclosed to cPanel," confirming that private disclosure preceded the public advisory. The gap between "we told them" and "patch available" is the window during which active exploitation occurred. Webhosting
No CVE ID has been assigned yet, which means automated vulnerability scanners may not flag this incident — manual verification is essential.
What you need to do right now:
If you manage a cPanel server, run /scripts/upcp --force as root to force the update, then verify your version with /usr/local/cpanel/cpanel -V. Patched builds are: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 11.136.1.7.
Servers running unsupported or end-of-life versions will not receive patches and should be treated as actively compromised until proven otherwise. Enable two-factor authentication on WHM, restrict access to trusted IPs only, and audit your login logs for any suspicious access during the April 28 window before port blocks went into effect.