A CRLF injection in cPanel & WHM's session writer (CVE-2026-41940, CVSS 9.8) was exploited in the wild since approximately February 23, 2026—roughly two months before cPanel issued an emergency patch on April 28. The exploit chains a malformed cookie to skip encryption and inject arbitrary properties (including user=root) into session files with no credentials required. Approximately 1.5 million internet-exposed cPanel instances were vulnerable per Shodan telemetry. By May 2, multiple threat actors were exploiting public proof-of-concept code to target government and military domains in the Philippines and Laos, as well as MSPs and web hosting providers.