May 9, 2026
cPanic! Patch Me If You Can
CPanel's Black Week: 3 New Vulnerabilities Patched After Attack on 44k Servers
After 44,000 servers got hit, the internet is asking why anyone still trusts cPanel
TLDR: cPanel pushed a second emergency fix in 10 days after a recent attack hit 44,000 servers, patching three more newly found flaws. Online, people are split between mocking cPanel as ancient and risky, and defending it as one of the few easy ways regular folks can get a website and email online fast.
cPanel just had a very bad week. After a recent attack helped unleash ransomware on 44,000 servers, the company rushed out yet another emergency fix — this time for three more security holes, two of them serious enough to set off alarm bells for hosting companies. In plain English: the software many people use to run websites and email just got caught patching holes again, and the crowd online is not exactly handing out sympathy cards.
The comment section instantly turned into a roast. One of the loudest reactions was basically, “Wait… people are still using cPanel?” That snarky disbelief set the tone. Others went darker, warning that old hosting systems are packed into millions of servers and may be carrying years of hidden problems. There was a real “haunted attic of the internet” vibe, with users comparing today’s mess to ancient hacked tools from the forum era and saying these aging codebases keep coming back to bite everyone.
But not everyone joined the pile-on. A few defenders jumped in with the very practical counterpoint: cPanel may be messy, but it’s still one of the easiest ways for regular people to set up a website, secure it, and get email working fast. That sparked the classic tech drama: burn it all down and build your own versus normal humans need simple tools. So yes, the patch is the news — but the real spectacle is the community arguing over whether cPanel is a dangerous relic or the last easy on-ramp to the web.
Key Points
- •cPanel released a second emergency Technical Security Release on May 8, 2026, patching three vulnerabilities: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.
- •The article says the release came ten days after CVE-2026-41940 was used to compromise 44,000 web hosting servers and deploy ransomware.
- •CVE-2026-29201 is described as an arbitrary file read issue with a CVSS score of 4.3 caused by insufficient input validation in feature::LOADFEATUREFILE.
- •CVE-2026-29202 is described as an arbitrary Perl code execution flaw in the create_user API, and CVE-2026-29203 as an unsafe symlink handling vulnerability; both are rated CVSS 8.8.
- •The article explains that cPanel uses a TSR process with advance notice to customers, and says WebPros sent a pre-disclosure notice on May 7 before the May 8 patch release.