
WebPros
Parent company of cPanel & WHM; shipped emergency patch for CVE-2026-41940 on 28 April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How did a CVE-9.8 cPanel flaw go 65 days unpatched while ransomware operators exploited it?
Timeline for WebPros
Shipped emergency patch for CVE-2026-41940 on 28 April after 65-day exploitation window
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware activeIs my cPanel server still at risk from CVE-2026-41940?
Why did WebPros take 65 days to patch the cPanel zero-day?
What is WebPros and what software does it make?
Background
WebPros is the parent company of cPanel & WHM, the dominant shared-hosting control panel software used by an estimated 1.5 million publicly internet-exposed servers. On 28 April 2026, WebPros shipped an emergency patch for CVE-2026-41940, a CVSS 9.8 CRLF injection vulnerability in cPanel's login daemon (cpsrvd) that allowed unauthenticated session hijacking to root. The patch came 65 days after KnownHost telemetry confirmed exploitation had begun on 23 February 2026, meaning the zero-day window ran unpatched through nearly the entire spring hosting season.
WebPros acquired cPanel in 2019, combining it with its Plesk control panel brand to create the dominant player in shared-hosting management software. The company is headquartered in Luxembourg, though cPanel's development has historically been US-based. WebPros' products serve hosting providers who collectively host millions of customer websites, making any critical vulnerability in the shared stack a high-amplification risk.
The 65-day zero-day window and subsequent 'Sorry' ransomware activity raise questions about WebPros' internal security process and vulnerability disclosure practices. CISA added CVE-2026-41940 to KEV on 30 April — two days after the patch — indicating exploitation was already widespread when the fix shipped.