CVE

On April 28, 2026, cPanel released an emergency patch for CVE-2026-41940 — a CVSS 9.8 authentication bypass that, as it turned out, attackers had been quietly exploiting since approximately February 23. That is roughly two months of zero-day exposure across an estimated 1.5 million internet-facing cPanel & WHM instances. CISA promptly added it to its Known Exploited Vulnerabilities catalog, which is the agency’s way of saying: stop reading and go patch. ...

In late March, the Dovecot team published advisory OXDC-ADV-2026-0001 — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention. Here is a breakdown of what matters, in roughly descending order of alarm. The Serious Ones CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH) ...