CVE-2026-41940 is a CVSS 9.8 authentication bypass in cPanel and WHM discovered by watchTowr Labs, enabling unauthenticated CRLF injection to bypass credential verification entirely across affected hosting environments. The vulnerability carries a 94.9th percentile EPSS score with multiple security publications reporting pre-patch exploitation activity, though specific affected version ranges and confirmed IOCs were not available in source data at time of publication. Hosting providers and enterprise IT teams running cPanel or WHM must apply the vendor patch immediately and review for signs of pre-patch compromise.