A newly discovered vulnerability in the widely used web server management software, cPanel and WebHost Manager (WHM), has security experts warning of a significant threat. The bug allows hackers to bypass login screens and gain full control over affected servers, which are estimated to host tens of millions of websites worldwide.

While many commercial hosting companies have already patched their systems, the cPanel maker is urging customers to ensure that all supported versions are updated. The software provides deep access to managed servers, meaning hackers could potentially gain unrestricted access to critical data and configurations.

The bug, officially tracked as CVE-2026-41940, has been exploited for months, according to one hosting company. This suggests that the threat is real and widespread, despite the recent discovery. Web hosts such as Namecheap and HostGator have taken steps to secure their systems against potential exploitation.

The ubiquity of cPanel across the web hosting industry means that the potential impact is vast. Hackers could compromise numerous websites if left unpatched. Canada’s national cybersecurity agency has warned that shared hosting servers, especially those managed by large companies, are at risk.

Security measures are in place to mitigate the threat, but swift action from cPanel customers or their web hosts remains crucial. The bug underscores the importance of regular software updates and robust security practices in managing online assets.