A critical authentication bypass vulnerability in cPanel software has come under heavy exploitation from multiple threat actors within 24 hours of public disclosure, while a new Linux privilege escalation flaw dubbed “Dirty Frag” may already be exploited in the wild. The cPanel flaw, tracked as CVE-2026-41940 with a CVSS score of 9.8, affects millions of websites across tens of thousands of compromised instances.
According to Dark Reading, cPanel issued a security update on April 28 to address the vulnerability affecting all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products. WatchTowr Labs published a proof-of-concept exploit and technical analysis on April 29, describing it as a “disaster” flaw that allows attackers to gain administrative access and take over servers and hosted websites.
cPanel Zero-Day Activity Confirmed
KnownHost, a managed cPanel hosting provider, flagged CVE-2026-41940 as a zero-day vulnerability with approximately 30 servers showing signs of attempted exploitation. KnownHost CEO Daniel Pearson confirmed on Reddit that the vulnerability had been exploited for “at least the last 30 days,” with attack attempts traced back to February 23.
Internet scanning from Censys revealed the cPanel flaw came under attack from multiple threat actors within 24 hours of disclosure. The authentication bypass allows attackers to completely compromise web hosting control panels, giving them access to customer websites, databases, and server configurations.
The vulnerability affects cPanel’s core authentication mechanism, enabling attackers to bypass login requirements entirely. This grants unauthorized administrative access to hosting control panels, allowing threat actors to modify DNS settings, access email accounts, install malicious code, and steal sensitive data from hosted websites.
Linux Dirty Frag Vulnerability Chains Two CVEs
Security researchers disclosed a new Linux privilege escalation vulnerability called “Dirty Frag” that chains two flaws tracked as CVE-2026-43284 and CVE-2026-43500. SecurityWeek reported that researcher Hyunwoo Kim responsibly disclosed the vulnerability, but someone made it public before patches could be released.
The exploit allows an unprivileged user to escalate permissions to root on major Linux distributions. Kim explained that “because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”
The vulnerabilities affect the xfrm-ESP (IPsec) and RxRPC components of the Linux kernel, with the greatest impact on hosts that do not run container workloads. In container deployments, an attacker may be able to exploit Dirty Frag to escape a container, though this has yet to be demonstrated.
Microsoft reports that Dirty Frag may already be exploited in the wild. According to the tech giant, its Defender product has detected limited activity that could indicate exploitation of either Dirty Frag or the related Copy Fail vulnerability.
Android System Component Gets Critical Patch
Google released an Android update patching CVE-2026-0073, a critical remote code execution vulnerability in Android’s System component. SecurityWeek reported that the flaw affects the Android Debug Bridge daemon (adbd), allowing attackers to execute code as the shell user without additional execution privileges or user interaction.
The vulnerability impacts adbd, a background process that manages communication between Android devices and computers for debugging and shell access. Google confirmed no patches were released this month for Wear OS, Pixel Watch, Android XR, and Android Automotive.
There is no indication that CVE-2026-0073 has been exploited in malicious attacks. Only one Android vulnerability patched this year has been flagged as exploited in the wild, though several flaws were exploited in attacks last year.
AI Agent Vulnerabilities Target Supply Chains
Security researchers identified critical vulnerabilities in AI tools that could enable supply chain attacks. Pillar Security discovered a flaw in Gemini CLI with a CVSS score of 10/10 that could allow attackers to mount supply chain attacks via indirect prompts injected into GitHub issues.
The vulnerability existed because Gemini CLI in –yolo mode would ignore tool allowlists, leading to execution of any command. An attacker could exploit this by creating a public issue on a Google GitHub repository and hiding malicious prompts in its text.
Google addressed the vulnerability on April 24 in Gemini CLI version 0.39.1, which now evaluates tool allowlisting under –yolo mode. At least eight other Google repositories had the same vulnerable workflow template deployed.
LayerX reported a separate vulnerability dubbed “ClaudeBleed” in the Claude extension for Chrome that could allow attackers to take over the AI agent. The flaw combines lax permissions and poorly implemented trust in the origin of commands, allowing any Chrome extension to run commands in Claude.
What This Means
The rapid exploitation of CVE-2026-41940 demonstrates how quickly threat actors can weaponize critical vulnerabilities affecting widely-deployed software. With millions of websites using cPanel hosting, the authentication bypass represents a significant attack surface for cybercriminals seeking to compromise web infrastructure.
The emergence of Dirty Frag adds to growing concerns about Linux kernel vulnerabilities that enable privilege escalation. The high success rate and lack of timing dependencies make this exploit particularly dangerous for attackers who have gained initial access to Linux systems.
AI agent vulnerabilities highlight new attack vectors as organizations increasingly integrate AI tools into development workflows. Supply chain attacks through AI agents could become a significant threat vector as these tools gain more access to sensitive development environments and credentials.
FAQ
What is CVE-2026-41940 and why is it dangerous?
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel software that allows attackers to gain administrative access without valid credentials. It’s dangerous because it affects millions of websites and has been exploited as a zero-day for at least 30 days.
How does the Dirty Frag Linux vulnerability work?
Dirty Frag chains two CVEs (CVE-2026-43284 and CVE-2026-43500) to allow unprivileged users to escalate to root privileges on Linux systems. It affects the xfrm-ESP and RxRPC kernel components with a high success rate and no timing dependencies.
Are AI agent vulnerabilities a new threat category?
Yes, as AI agents gain access to development environments and sensitive data, they represent new attack vectors for supply chain compromises. The Gemini CLI and Claude vulnerabilities show how AI tools can be manipulated through prompt injection and permission bypasses.
