Dear Valued Host4Yourself Client,

We are writing to make you aware of two critical security vulnerabilities that have recently been discovered and actively exploited across the hosting industry.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ 1. CRITICAL – cPanel Authentication Bypass (CVE-2026-41940)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

This flaw allowed attackers to log into any cPanel or WHM account without a username or password, giving them full control over the server, websites, email, and databases. It was being actively exploited as a zero-day as far back as late February 2026 — over two months before a patch was released.

✅ Our Action: All H4Y shared hosting and internal cPanel systems have been fully patched.

⚠️ A Note on EOL Software: We have previously warned clients about the risks of running End-of-Life software. This exploit is a direct example of why it matters — some clients on EOL versions of cPanel could not receive the patch and had their servers compromised. If you have not acted on our previous EOL communications, please do so urgently.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ 2. HIGH – Linux Kernel "Copy Fail" (CVE-2026-31431)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

This flaw affects virtually all Linux servers running kernels built since 2017. Any user with basic shell access to an affected server can exploit it to gain full root (administrator) control in seconds using a publicly available script.

✅ Our Action: All H4Y shared hosting and internal systems affected by this vulnerability have been patched and rebooted onto the updated kernel.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ What You Need to Do

SELF-MANAGED CLIENTS – Please act immediately:

• Update cPanel/WHM via SSH: /scripts/upcp --force
  (Target version: 11.136.0.5 or later for your release track)

• Update and reboot your kernel:
  yum update kernel && reboot  (CentOS/CloudLinux/AlmaLinux)
  apt update && apt upgrade && reboot  (Debian/Ubuntu)

  Verify after reboot with: uname -r

• If you suspect your server was compromised during the exposure window, check your access logs for unusual logins or new accounts you did not create.

MANAGED CLIENTS – Our team is already working to ensure your systems are patched. If you would like confirmation of your server's status, or have any concerns, please contact us and we will prioritize your case.

If you believe your server has already been compromised, please contact us immediately and mark your ticket as urgent.

Thank you for your continued trust in Host4Yourself!

The H4Y Security Team