At myshophosting, the security of your websites, email, and data is always our top priority. We take a proactive approach to protecting our customers, and this week was no exception.
Our Response to CVE-2026-29201, CVE-2026-29202, CVE-2026-29203
On 8th April 2026, cPanel publicly disclosed via email three critical authentication bypass vulnerabilities, CVE-2026-29201, CVE-2026-29202, CVE-2026-29203, affecting cPanel and WHM, which appear to be a follow-up to last week’s critical CVE-2026-41940.
Here’s how we responded:
- 8th May 2026 – 9am: Advised that cPanel patches will be released 2am on the 9th May 2026
- 9th May 2026 – 02:20am AEST: All myshophosting servers were fully patched
- Ongoing: We continue to monitor and clean up residual scanning attempts
Result: No evidence of any successful compromise was found on any myshophosting server.
We will continue to monitor the situation and will provide follow-up blog posts should they be required.
References:
https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026
https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026
https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026