Cybersecurity researchers disclosed five critical vulnerabilities in April 2026, with hackers already exploiting three as zero-days. The most severe, CVE-2026-41940 affecting cPanel & WHM, carries a 9.8 CVSS score and has been actively exploited since February 23, allowing complete server takeover on 1.5 million exposed instances.
cPanel Zero-Day Grants Full Server Control
The cPanel & WHM authentication bypass vulnerability enables remote attackers to gain administrative access without credentials. According to SecurityWeek, the flaw affects all software versions after 11.40 and impacts the login flow through a session file manipulation technique.
Attack surface management firm WatchTowr discovered that failed login attempts cause the cPanel daemon to write pre-authentication session files to disk. Attackers can manipulate cookies to inject controlled credentials in plaintext, then reload the file to authenticate using the injected data.
Key impact details:
- 1.5 million internet-accessible cPanel instances potentially vulnerable (Shodan data)
- Complete control over host systems, configurations, databases, and managed websites
- All shared hosting server websites at risk of compromise
- Hosting providers KnownHost, HostPapa, InMotion, and Namecheap immediately blocked cPanel access after disclosure
Linux PackageKit Flaw Enables Root Privilege Escalation
CVE-2026-41651, dubbed “Pack2TheRoot,” allows unprivileged users to install arbitrary packages with root privileges on Linux systems. The vulnerability scores 8.1 on CVSS and stems from a time-of-check time-of-use (TOCTOU) race condition in PackageKit’s transaction flags.
Deutsche Telekom’s Red Team discovered the flaw affects PackageKit versions 1.0.2 to 1.3.4, with the bug likely existing since version 0.8.1 released 14 years ago. The vulnerability impacts multiple Linux distributions including Ubuntu Desktop 18.04-26.04, Debian Trixie 13.4, RockyLinux 10.1, and Fedora 43.
Technical breakdown:
- Caller-supplied flags written without authorization checks
- Transaction runs with corrupted flags read at dispatch time
- Unprivileged users can install RPM packages as root without authentication
- Servers with Cockpit installed particularly vulnerable, including RHEL systems
LiteLLM AI Gateway Hit 36 Hours After Disclosure
A critical SQL injection vulnerability in the open-source AI gateway LiteLLM was exploited within days of public disclosure. CVE-2026-42208 scores 9.3 on CVSS and affects the proxy API key verification process.
Sysdig reports that attackers began exploiting the flaw 36 hours after it was indexed in GitHub’s Advisory database on April 24. The vulnerability allows unauthenticated attackers to send crafted Authorization headers to any LLM API route, accessing database queries through error-handling paths.
The observed attacks targeted three specific database tables containing:
- API keys and provider credentials
- Proxy environment variable configurations
- Sensitive authentication data
Attackers demonstrated detailed knowledge of LiteLLM’s Prisma-generated PostgreSQL identifier casing and performed systematic column-count discovery sweeps. The attacks occurred 21 minutes apart using automated tools with rotating IP addresses.
GitHub RCE Exposed Millions of Repositories
Cloud security firm Wiz discovered CVE-2026-3854, a remote code execution vulnerability affecting GitHub’s internal Git infrastructure. The flaw impacted GitHub Enterprise Server, GitHub.com, and related cloud services.
According to Wiz, any authenticated user could execute arbitrary commands on GitHub’s backend servers using a single `git push` command with a standard Git client. The vulnerability exploited an injection flaw in GitHub’s internal protocol.
Scope of potential impact:
- GitHub Enterprise Server: Full server compromise and access to all repositories
- GitHub.com: Remote code execution on shared storage nodes
- Millions of public and private repositories accessible on affected nodes
- GitHub Enterprise Cloud and Data Residency variants also affected
GitHub deployed a fix to GitHub.com on March 4, the same day Wiz reported the vulnerability. Enterprise Server patches became available shortly after. GitHub’s forensic investigation found no evidence of exploitation in the wild.
Robinhood Account Creation Flaw Enables Phishing
Robinhood confirmed that cybercriminals exploited a vulnerability in its account creation process to send legitimate-looking phishing emails over the weekend. The attack leveraged Gmail’s “dot trick” where periods in usernames are ignored by Gmail but treated as distinct by Robinhood.
According to the company, attackers created new Robinhood accounts using modified Gmail addresses, then injected malicious HTML code containing phishing links into device name fields during signup. This triggered legitimate “recent login” notification emails that rendered unsanitized HTML with embedded clickable phishing links.
Attack methodology:
- Emails originated from legitimate `[email protected]` address
- Subject line: “Your recent login to Robinhood”
- Passed all authentication checks as genuine Robinhood communications
- May have leveraged email addresses from Robinhood’s 2021 data breach
https://x.com/AskRobinhood/status/2048649252352487683
What This Means
The April 2026 vulnerability disclosure cycle demonstrates the persistent challenge of securing complex software systems across different technology stacks. Three of the five disclosed vulnerabilities were exploited as zero-days, indicating either prior discovery by threat actors or rapid weaponization following disclosure.
The cPanel vulnerability presents the highest immediate risk given the 1.5 million exposed instances and complete system takeover potential. Organizations running affected versions should prioritize patching, while hosting providers have already begun implementing protective measures.
The PackageKit flaw’s 14-year existence highlights how fundamental system components can harbor critical vulnerabilities for extended periods. The broad Linux distribution impact requires coordinated patching across multiple vendor ecosystems.
GitHub’s rapid response and lack of exploitation evidence suggests effective vulnerability disclosure and incident response processes. However, the potential scope – millions of repositories – underscores the cascading risks in centralized development platforms.
FAQ
What should cPanel users do immediately?
Update to the latest cPanel & WHM version released after April 28, 2026. Contact your hosting provider if you cannot directly access update controls, as many providers have already implemented protective measures or blocked access pending patches.
How can I check if my Linux system has PackageKit installed?
Run `systemctl status packagekit` or `which pkcon` in your terminal. Ubuntu Desktop, Fedora, and systems with Cockpit web interface are most likely to have PackageKit enabled. Disable the service if not needed or apply vendor patches immediately.
Are GitHub private repositories safe from the RCE vulnerability?
GitHub patched the vulnerability on March 4 and conducted forensic analysis showing no evidence of exploitation. All repository types (public and private) were potentially accessible, but GitHub’s rapid response and investigation suggest no actual data exposure occurred.
Related news
Sources
- Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek
- Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access – SecurityWeek
- Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure – SecurityWeek
- Critical GitHub Vulnerability Exposed Millions of Repositories – SecurityWeek
- Robinhood Vulnerability Exploited for Phishing Attacks – SecurityWeek
