cPanel - CVE-2026-41940 - Incident Notification

OVHcloud was recently informed of a security concern from cPanel team that has been identified as CVE-2026-41940. This concern allows for the possibility of exploitation on machines running cPanel & WHM.

An overview of the security concern and details of the patch can be found here - https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

To immediately address and protect from any security concerns, OVHcloud teams highly recommends anyone using a cPanel image to execute the recommended patch, as described by cPanel, on the CVE documentation.

If you are using an OVHcloud provided cPanel template, please be advised that our image is not yet patched. If you need to reinstall your template for any reason between now and our patches being applied, you will need to execute the recommended steps to patch again, to ensure you remain secure.

We will update here as soon as our cPanel templates are patched.
We appreciate your understanding.

Engineering teams have now updated all OVHcloud provided cPanel templates to include the latest security patch as of 2026-05-05 14:00 UTC. A new install will automatically deploy with the updated patch in place.

For customers utilizing BYOI (Bring Your Own Image), we still recommend applying the patch yourself to remain secure. Please refer to the official CVE documentation for detailed remediation steps specific to your configuration here - https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026