CVE-2026-41940 is a critical authentication bypass in cPanel and WHM that requires no credentials and no user interaction, allowing unauthenticated remote attackers to gain full administrative control of affected hosting environments. Active mass exploitation is underway with at least 44,000 reported compromised IPs as of May 2, 2026, and threat actors are deploying ‘Sorry’ ransomware to encrypt hosted Linux filesystems with no known decryption path. Any internet-facing cPanel or WHM installation that has not been patched must be treated as potentially compromised.