Hackers exploited a critical authentication bypass vulnerability in cPanel & WHM for months before its April 28 disclosure, with the flaw affecting all software versions after 11.40 and carrying a maximum CVSS score of 9.8. According to SecurityWeek, CVE-2026-41940 allows remote, unauthenticated attackers to gain administrative access to the control panel, essentially enabling complete system takeover.
The vulnerability impacts approximately 1.5 million internet-accessible cPanel instances worldwide, based on Shodan search data compiled by cybersecurity firm Rapid7. Hosting providers including KnownHost, HostPapa, InMotion, and Namecheap immediately blocked access to cPanel & WHM after notification of active exploitation.
Technical Details of the cPanel Exploit
Attack surface management firm WatchTowr’s analysis revealed that CVE-2026-41940 exploits a flaw in cPanel’s login flow mechanism. Upon failed login attempts, the cPanel service daemon writes pre-authentication session files to disk, which attackers can manipulate through specially crafted cookies.
The exploitation process involves:
- Cookie manipulation: Attackers inject specific characters via authorization headers
- Credential injection: Attacker-controlled credentials are written to session files in plaintext
- Session reload: The manipulated session file is reloaded to authenticate using injected credentials
According to Reddit posts by hosting provider KnownHost, active exploitation began on February 23, 2026 — more than two months before public disclosure.
Pack2TheRoot Linux Vulnerability Affects Multiple Distributions
A separate high-severity vulnerability dubbed “Pack2TheRoot” (CVE-2026-41651) allows unprivileged Linux users to install packages with root privileges through a time-of-check time-of-use race condition. The flaw carries a CVSS score of 8.1 and affects PackageKit versions 1.0.2 to 1.3.4, with the vulnerability likely existing since version 0.8.1 released 14 years ago.
Deutsche Telekom’s Red Team discovered the vulnerability impacts multiple Linux distributions including Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43. The vulnerability enables unprivileged users to install arbitrary RPM packages as root without authentication.
The flaw results from caller-supplied flags being written without checking transaction authorization, allowing attackers to corrupt transaction flags that are read at dispatch rather than authorization time.
LiteLLM SQL Injection Exploited Within Days
Cybercriminals exploited a critical SQL injection vulnerability in the open-source AI gateway LiteLLM just 36 hours after its April 24 indexing in GitHub’s Advisory database. CVE-2026-42208, with a CVSS score of 9.3, affects the proxy API key verification process.
Sysdig’s analysis shows attackers specifically targeted three database tables containing:
- API keys and provider credentials
- Proxy environment variable configurations
- Sensitive authentication data
The vulnerability stems from a database query that includes caller-supplied values directly in the query rather than passing them as separate parameters. Attackers can send specially crafted Authorization headers to any LLM API route, accessing queries through the proxy’s error-handling path before authentication occurs.
Attacks were conducted 21 minutes apart using automated tools that rotated origin IP addresses, though no credential abuse was observed following the data extraction.
GitHub Repository Access Vulnerability
Researchers at Wiz discovered CVE-2026-3854, a critical remote code execution vulnerability affecting GitHub’s internal Git infrastructure that exposed millions of repositories. The flaw impacted GitHub Enterprise Server, GitHub.com, and related cloud services.
The vulnerability allowed any authenticated user to execute arbitrary commands on GitHub’s backend servers using a single git push command through a standard git client. According to Wiz, exploitation required only push access to any repository, including user-created ones.
On GitHub.com, successful exploitation enabled:
- Remote code execution on shared storage nodes
- Access to millions of public and private repositories
- Potential compromise of internal secrets and configurations
GitHub deployed a fix to GitHub.com on March 4, the same day Wiz reported the vulnerability. The company’s forensic investigation found no evidence of wild exploitation.
Robinhood Phishing Through Account Creation Abuse
Robinhood confirmed that cybercriminals exploited a vulnerability in its account creation process to send legitimate-looking phishing emails from ‘@robinhood.com’ addresses. The attack leveraged Gmail’s “dot trick” — where Gmail ignores periods in usernames while Robinhood treats each variation as distinct.
Attackers created new Robinhood accounts using modified Gmail addresses and injected malicious HTML code into device name fields during signup. This triggered legitimate “recent login” notification emails that rendered unsanitized HTML, embedding clickable phishing links that passed all authentication checks.
According to Robinhood, the attack did not constitute a system breach, and personal information and funds remained unimpacted. The phishing emails originated from Robinhood’s own systems, making them highly convincing to recipients.
https://x.com/AskRobinhood/status/2048649252352487683
What This Means
The simultaneous disclosure of multiple critical vulnerabilities highlights the persistent challenge of securing complex software infrastructure. The cPanel zero-day’s months-long exploitation window demonstrates how attackers can operate undetected in widely-used hosting platforms, potentially compromising thousands of websites simultaneously.
The rapid exploitation of LiteLLM within 36 hours of public disclosure shows how quickly threat actors monitor vulnerability databases and develop automated attack tools. This compressed timeline between disclosure and exploitation emphasizes the critical importance of immediate patching for organizations using affected software.
The diversity of attack vectors — from authentication bypass and privilege escalation to SQL injection and social engineering — underscores the need for comprehensive security strategies that address both technical vulnerabilities and human factors. Organizations should prioritize automated patch management, vulnerability scanning, and user education to defend against this evolving threat landscape.
FAQ
What should cPanel users do immediately?
Update to the latest cPanel & WHM version immediately if you haven’t already. All versions after 11.40 are affected by CVE-2026-41940. Contact your hosting provider if you’re on shared hosting to confirm they’ve applied the patch.
How can organizations defend against rapid vulnerability exploitation?
Implement automated vulnerability scanning and patch management systems. Monitor security advisory feeds and have emergency patching procedures for critical vulnerabilities. Consider using web application firewalls as temporary protection while patches are deployed.
Are there indicators that these vulnerabilities have been exploited?
For cPanel, check access logs for unusual administrative login activity or unauthorized configuration changes. For LiteLLM, monitor database access logs for unusual queries or data extraction patterns. GitHub and Robinhood have stated they found no evidence of exploitation in their respective cases.
Related news
Sources
- Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek
- Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access – SecurityWeek
- Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure – SecurityWeek
- Critical GitHub Vulnerability Exposed Millions of Repositories – SecurityWeek
- Robinhood Vulnerability Exploited for Phishing Attacks – SecurityWeek
