A critical authentication bypass vulnerability in cPanel & WHM has been actively exploited as a zero-day since February 23, 2026, affecting approximately 1.5 million internet-accessible instances. SecurityWeek reported that CVE-2026-41940 carries a CVSS score of 9.8 and allows remote, unauthenticated attackers to gain administrative access to hosting control panels.
The vulnerability affects all cPanel software versions after 11.40, with hosting providers including KnownHost, HostPapa, InMotion, and Namecheap immediately blocking access to cPanel & WHM systems after disclosure on April 28.
Technical Details of the Authentication Bypass
According to WatchTowr’s analysis, the flaw exploits a weakness in cPanel’s login flow where failed authentication attempts create pre-authentication session files on disk. Attackers can manipulate cookies to write attacker-controlled credentials in plaintext to these session files.
The exploit works by injecting specific characters via an authorization header to write parameters to the session file, then triggering a reload to authenticate using the injected credentials. This grants complete control over the cPanel host system, its configurations, databases, and all managed websites.
Rapid7 noted that successful exploitation provides attackers with system takeover capabilities, while the Canadian Centre for Cyber Security warned that compromised shared hosting servers could affect all hosted websites.
Pack2TheRoot Linux Vulnerability Enables Root Access
A separate high-severity vulnerability dubbed Pack2TheRoot allows unprivileged Linux users to install packages with root privileges through a time-of-check time-of-use race condition. CVE-2026-41651 affects PackageKit versions 1.0.2 to 1.3.4, with the flaw potentially existing since version 0.8.1 released 14 years ago.
Deutsche Telekom’s Red Team discovered the vulnerability impacts multiple Linux distributions including Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43. The flaw combines three issues where caller-supplied flags are written without authorization checks, allowing unprivileged users to install arbitrary RPM packages as root.
The vulnerability is “reliably exploitable in seconds” according to Deutsche Telekom, though technical details remain undisclosed due to the ease of exploitation.
LiteLLM SQL Injection Exploited Within Days
A critical SQL injection vulnerability in the open source AI gateway LiteLLM was exploited just 36 hours after public disclosure. CVE-2026-42208 carries a CVSS score of 9.3 and affects the proxy API key verification process.
Sysdig reported that the vulnerability allows unauthenticated attackers to send crafted Authorization headers to any LLM API route, accessing database queries through the proxy’s error-handling path. The flaw occurs before authentication, making any HTTP client capable of reaching the proxy port sufficient for exploitation.
Attackers specifically targeted three database tables containing API keys, provider credentials, and environment variable configurations. The attacks occurred 21 minutes apart using automated tools with rotating IP addresses, though no continuation or credential abuse was observed.
GitHub Infrastructure Vulnerability Exposed Millions
Cloud security firm Wiz discovered a critical remote code execution vulnerability in GitHub’s internal Git infrastructure that exposed millions of repositories. CVE-2026-3854 affected both GitHub Enterprise Server and GitHub.com through an injection flaw in GitHub’s internal protocol.
Any authenticated user could execute arbitrary commands on GitHub’s backend servers using a single git push command with a standard git client. On GitHub Enterprise Server, exploitation could lead to full server compromise and access to all repositories and internal secrets.
On GitHub.com, the vulnerability enabled remote code execution on shared storage nodes, with Wiz confirming that “millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.”
GitHub deployed a fix to GitHub.com on March 4, the same day Wiz reported the vulnerability. A forensic investigation found no evidence of exploitation in the wild.
Robinhood Phishing Through Account Creation Abuse
Robinhood confirmed that cybercriminals exploited a vulnerability in its account creation process to send legitimate-looking phishing emails over the weekend. The attack leveraged Gmail’s “dot trick” where periods in usernames are ignored by Gmail but treated as distinct accounts by Robinhood.
Attackers created new Robinhood accounts using modified Gmail addresses and injected malicious HTML code containing phishing links into device name fields. This triggered legitimate “recent login” notification emails from Robinhood that rendered unsanitized HTML with embedded phishing links.
The emails originated from ‘noreply@robinhood.com’ with the subject line ‘Your recent login to Robinhood’ and passed all authentication checks since they came from Robinhood’s own systems. The company stated this was “not a breach of our systems or customer accounts, and personal information and funds were not impacted.”
https://x.com/AskRobinhood/status/2048649252352487683
What This Means
These vulnerabilities demonstrate the persistent challenge of securing widely-deployed infrastructure components. The cPanel zero-day’s months-long exploitation window highlights the difficulty of detecting authentication bypass attacks, while the rapid exploitation of LiteLLM shows how quickly threat actors can weaponize disclosed vulnerabilities.
The PackageKit vulnerability is particularly concerning given its 14-year potential lifespan and broad Linux distribution impact. Organizations should prioritize patching these systems immediately, with special attention to shared hosting environments where single compromises can affect multiple customers.
The GitHub vulnerability’s scope—potentially affecting millions of repositories—underscores the critical importance of securing code hosting infrastructure. While no exploitation was detected, the potential for supply chain attacks through compromised repositories remains a significant concern.
FAQ
How can I check if my cPanel installation is vulnerable to CVE-2026-41940?
All cPanel & WHM versions after 11.40 are affected. Check your version through the cPanel interface and apply the April 28 security update immediately. If you’re using shared hosting, contact your provider to confirm patching status.
What Linux distributions are affected by the Pack2TheRoot vulnerability?
Confirmed affected distributions include Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43. Any distribution shipping PackageKit with it enabled is potentially vulnerable.
How can organizations protect against SQL injection attacks like the LiteLLM vulnerability?
Implement parameterized queries for all database interactions, conduct regular security code reviews, and establish rapid patch deployment procedures. The 36-hour exploitation window demonstrates the need for immediate patching of disclosed vulnerabilities.
Related news
Sources
- Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek
- Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access – SecurityWeek
- Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure – SecurityWeek
- Critical GitHub Vulnerability Exposed Millions of Repositories – SecurityWeek
- Robinhood Vulnerability Exploited for Phishing Attacks – SecurityWeek
