Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In late April 2026, a critical authentication bypass vulnerability was disclosed in cPanel and WHM, tracked as CVE-2026-41940. The issue affects the login flow of these widely deployed hosting control panels and allows a remote, unauthenticated attacker to gain administrative access. Given the prevalence of cPanel across shared and dedicated hosting environments, the vulnerability represents a significant management plane risk.

AI finds the vulnerabilities, but exploiting them is a different problem. How Sophos Endpoint defends in the AI era, and what the public record on Mythos shows. When Mozilla shipped Firefox 150 with fixes for 271 issues identified by Anthropic’s Mythos model, the headlines focused on the count. The detail that mattered was further down: Mozilla credited only three CVEs to the model. The remaining 268 were classified as defense-in-depth, hardening, or bugs in code paths that could not be exploited.

AI just became the world's most dangerous exploit writer. Here's why Sophos Endpoint is built to stop it. AI-generated zero-days are here. Sophos Endpoint was architected to stop exploits that have never been seen before — blocking the techniques every attack must use, at the moment of execution, with no signature, no cloud lookup, and no configuration required.

A critical vulnerability in LiteLLM is turning AI infrastructure into an open vault; no login required. Tracked as CVE-2026-42208, this vulnerability allows attackers to extract API keys, cloud credentials, and provider authentication tokens without any credentials or prior access to the system. The root cause is fundamental lapse in input handling. LiteLLM’s API key validation blindly injects the Bearer token from the Authorization header into a SQL query without sanitization.

The cybersecurity industry is currently drowning in an “alphabet soup” of over 500 different category acronyms, a trend that is creating unnecessary noise and silos rather than helping practitioners. This hyper-niche branding often forces security teams to manage fragmented dashboards that don’t communicate with each other, adding to their workload instead of reducing it.

On April 30, 2026, two malicious releases of the popular lightning PyPI package were published, affecting the deep learning framework formerly distributed as pytorch-lightning. Versions 2.6.2 and 2.6.3 ship a hidden _runtime directory that downloads the Bun JavaScript runtime from GitHub at import time and uses it to execute an ~11 MB obfuscated credential stealer. The last clean release is 2.6.1, published January 30, 2026.

A critical vulnerability CVE-2026-41940 has been identified in cPanel, WHM, and WP Squared, affecting cPanel & WHM versions after 11.40, as well as WP Squared. These web hosting control panels are commonly used to manage websites, email, databases, and server configurations, making unauthorized access a serious security concern.

On April 28, 2026, cPanel patched a critical authentication bypass vulnerability affecting cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940. The issue stems from a flaw in the login and session handling process that allows Carriage Return Line Feed (CRLF) injection, enabling remote threat actors to bypass authentication and gain unauthorized access to the control panel.

A new Linux kernel LPE disclosed by Theori/Xint lets any unprivileged local user become root with a 732-byte Python script. Works first try, no race, no per-kernel offsets. CVSS 7.8 (High), effectively critical for shared-kernel and multi-tenant environments.

Since October 2025, CrowdStrike Counter Adversary Operations has observed a shift in intrusion tradecraft: Threat actors are executing high-speed, SaaS-centric attacks that bypass traditional endpoint visibility. CORDIAL SPIDER and SNARKY SPIDER exemplify this evolution as distinct adversaries conducting rapid data theft and extortion campaigns with striking operational similarities.