CISA added CVE-2026-41940, a missing authentication vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared), to its Known Exploited Vulnerabilities Catalog based on active exploitation evidence. The vulnerability is classified as a critical function bypass and represents a frequent attack vector for malicious actors. CISA urges all organizations to prioritize remediation as part of their vulnerability management practices, with federal agencies required to remediate by applicable due dates under BOD 22-01.