CPanel's Black Week: 3 New Vulnerabilities Patched After Attack on 44k Servers

If you run a server with cPanel or WHM, you need to read this carefully.

On May 8, 2026 — just ten days after the cPanel CVE-2026-41940 authentication bypass was used to compromise 44,000 web hosting servers and deploy ransomware — cPanel quietly released a second emergency security patch. This one covers three new vulnerabilities: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.

Two of the three carry a CVSS score of 8.8. That puts them firmly in the High severity tier, one step below Critical.

This is the second Technical Security Release (TSR) in 10 days from cPanel. Two emergency patches in less than two weeks is not normal, and the timing — immediately following the worst cPanel attack in years — tells a clear story: the ransomware incident triggered a deeper code audit, and that audit found more problems.

Table of Contents