On 2026-04-29, NIST published CVE-2026-419490 to their vulnerability database. This vulnerability affects most versions of cPanel & WHM, and allows for authentication to be bypassed in the login flow and unauthorized access to the control panel. The severity score is 9.8/10, marking it as extremely dangerous.
Blastport quickly responded to the announcement and followed WebPro's remediation steps by updating cPanel/WHM. As of now, there have not been any known successful exploitations at Blastport. However, we have identified many unsuccessful attempts at exploitation. We will continue to monitor the situation and follow the appropriate recommendations.
If you believe you have been subject to this vulnerability, please open a ticket immediately and we will address the issue with you. Feel free to reach out with any questions/comments/concerns as well.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2026-41940
Notification from cPanel: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
Thanks,
BP Support
