Critical Vulnerabilities Hit cPanel, Linux, Android in April

Critical cPanel Authentication Bypass Threatens Millions

A critical authentication bypass vulnerability in cPanel software has triggered widespread exploitation across tens of thousands of hosting instances, putting millions of websites at risk. The flaw, designated CVE-2026-41940 with a CVSS score of 9.8, affects all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products.

According to Dark Reading, the vulnerability was disclosed on April 28, followed by a proof-of-concept exploit published by WatchTowr Labs on April 29. The timing proved disastrous for defenders, as Censys Internet scanning showed multiple threat actors began exploiting the flaw within 24 hours of public disclosure.

KnownHost CEO Daniel Pearson revealed on Reddit that the vulnerability had been exploited as a zero-day “for at least the last 30 days,” with attack attempts traced back to February 23. The flaw allows attackers to gain administrative access and completely take over hosting servers and their hosted websites.

Linux ‘Copy Fail’ Vulnerability Sees Active Exploitation

A decade-old Linux kernel vulnerability dubbed Copy Fail is now under active exploitation after lurking undetected since 2017. The flaw, tracked as CVE-2026-31431, affects the kernel’s authentication AEAD template and allows authenticated attackers to escalate privileges to root access.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on Friday, ordering federal agencies to patch within two weeks. The agency has not disclosed specific exploitation details, but Microsoft reported observing limited in-the-wild activity, primarily proof-of-concept testing.

The vulnerability’s broad applicability across all Linux distributions since 2017 makes it particularly dangerous in cloud, CI/CD, and Kubernetes environments. Microsoft warns that successful exploitation leads to “full root privilege escalation” and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments.

Android Debug Bridge Daemon Flaw Enables Remote Code Execution

Google patched a critical remote code execution vulnerability in Android’s System component that requires no user interaction for exploitation. CVE-2026-0073 affects the Android Debug Bridge daemon (adbd), a background process managing communication between devices and computers for debugging purposes.

Google’s security advisory reveals the flaw allows attackers to execute code as the shell user without additional execution privileges. The company has not indicated any evidence of malicious exploitation in the wild, distinguishing it from several Android vulnerabilities exploited in attacks last year.

This marks the latest in a series of Android security updates, as Google announced increased bug bounty payouts up to $1.5 million for zero-click Pixel Titan M exploits with persistence.

Supply Chain Risks in AI Tools Surface

Two separate vulnerabilities in AI-powered tools highlight emerging supply chain attack vectors. A critical flaw in Gemini CLI received a perfect CVSS score of 10.0 for allowing attackers to mount supply chain attacks through indirect prompt injection.

Pillar Security discovered that Gemini CLI’s –yolo mode ignored tool allowlists, enabling execution of arbitrary commands. Attackers could exploit this by creating public GitHub issues with hidden malicious prompts, potentially compromising build environments and extracting internal secrets.

Separately, the Claude extension for Chrome contains a vulnerability dubbed ClaudeBleed that allows any Chrome extension to issue commands to Claude’s AI agent. LayerX Security found the extension’s lax permissions and poor origin verification enable attackers to bypass user confirmations and manipulate the AI agent through DOM manipulation.

Google addressed the Gemini CLI vulnerability on April 24 in version 0.39.1, implementing proper tool allowlisting under –yolo mode.

What This Means

The April vulnerability disclosures reveal a troubling pattern: critical flaws moving from disclosure to active exploitation within hours rather than days. The cPanel vulnerability’s rapid weaponization demonstrates how proof-of-concept releases can accelerate threat actor adoption, particularly for high-impact authentication bypass flaws.

The Copy Fail Linux vulnerability’s decade-long presence highlights the challenge of detecting privilege escalation flaws in complex kernel code. Its broad applicability across containerized environments makes it especially concerning for cloud infrastructure providers.

Most significantly, the AI tool vulnerabilities represent an emerging attack surface as organizations integrate AI agents into development workflows. The combination of prompt injection techniques with traditional web security flaws creates novel supply chain risks that traditional security controls may not address.

FAQ

How quickly should organizations patch these vulnerabilities?
CISA mandates federal agencies patch Copy Fail within two weeks, while the cPanel vulnerability requires immediate attention given active exploitation. Android users should apply updates as soon as available through their device manufacturers.

What makes the cPanel vulnerability so dangerous?
The authentication bypass flaw allows complete server takeover without credentials, affecting millions of websites through shared hosting environments. The combination of critical impact and immediate exploitation makes it a top priority for web hosting providers.

Are AI tool vulnerabilities becoming more common?
While still emerging, AI tool vulnerabilities like those in Gemini CLI and Claude represent new attack vectors combining traditional web security flaws with prompt injection techniques. Organizations using AI development tools should review their security configurations and access controls.