Here are today’s top cybersecurity stories for Wednesday, April 29, 2026.
cPanel and WHM Emergency Patch Released for Critical Authentication Bypass CVE-2026-41940
cPanel disclosed CVE-2026-41940, a critical authentication bypass affecting all supported versions of cPanel and WHM. The flaw allowed unauthenticated attackers to gain administrative access to web hosting servers without valid credentials. Confirmed exploitation in the wild preceded the patch, which cPanel released within hours of public disclosure. Hosting providers including KnownHost, Namecheap, and HostPapa blocked cPanel ports at the network level while the fix was deployed.
BleepingComputer
CISA Adds Windows Shell Zero-Day CVE-2026-32202 and ConnectWise ScreenConnect to KEV Catalog
CISA added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-32202, a Windows Shell protection mechanism failure linked to APT28 campaigns against Ukraine and EU targets dating back to December 2025, and CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect previously chained with an authentication bypass in ransomware and nation-state attacks. Federal agencies must remediate both by May 12, 2026.
The Hacker News
LiteLLM CVE-2026-42208: Critical SQL Injection in AI Gateway Exploited 36 Hours After Disclosure
Attackers began targeting CVE-2026-42208, a CVSS 9.3 pre-authentication SQL injection in LiteLLM, within 36 hours of public disclosure. The flaw allowed unauthenticated access to upstream LLM provider API keys and proxy runtime configuration via a crafted Authorization header. LiteLLM versions 1.81.16 through 1.83.6 are affected. Operators should patch to version 1.83.7-stable and treat any internet-exposed instance during the exposure window as compromised.
The Hacker News
VECT 2.0 Ransomware Permanently Destroys Files Over 128 KB Due to Encryption Flaw
Check Point Research revealed that VECT 2.0 ransomware contains a critical flaw in its ChaCha20 encryption implementation that discards three of four decryption nonces for files above 131,072 bytes, making those files unrecoverable even for the attackers. The flaw affects Windows, Linux, and ESXi variants equally. VECT first appeared in December 2025 and announced an affiliate partnership with the TeamPCP supply chain threat group in early 2026.
The Hacker News
GitHub CVE-2026-3854: Critical RCE Flaw Exploitable via a Single Git Push
Wiz researchers disclosed CVE-2026-3854, a CVSS 8.7 command injection vulnerability in GitHub Enterprise Server and GitHub.com. An authenticated user with push access to a repository achieves remote code execution with a single git push command by injecting crafted push option values into internal service headers. Due to GitHub’s shared backend architecture, exploitation on GitHub.com carried cross-tenant exposure risk. GitHub patched the flaw within two hours of notification on March 4, 2026. No real-world exploitation was observed beyond researcher testing.
The Hacker News
Carnival Corporation Investigating 8.7 Million Record Breach Claimed by ShinyHunters
ShinyHunters listed Carnival Corporation on their extortion portal on April 18, 2026, claiming 8.7 million records from the Holland America Line Mariner Society loyalty program. The data included names, dates of birth, gender, and loyalty program status. Carnival confirmed suspicious activity tied to a phishing incident affecting a single user account. The ransom deadline passed without payment, and ShinyHunters began publishing the data publicly.
Security Boulevard
Microsoft Windows Secure Boot Certificates Expiring June 2026 — Update Required
Microsoft’s original Secure Boot certificates — the Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 — expire in June 2026, with the Windows Production PCA 2011 expiring in October 2026. Devices without updated 2023 certificates will continue to boot but will no longer receive new boot-level security protections. Microsoft is delivering updated certificates via Windows Update automatically, and the Windows Security app now displays certificate update status.
Dark Reading
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 in APT28 Campaigns
Microsoft updated the April 2026 Patch Tuesday advisory for CVE-2026-32202 to confirm active exploitation, linking the flaw to APT28 LNK file campaigns targeting Ukraine and EU member states since December 2025. The vulnerability is an incomplete fix for CVE-2026-21510, patched in February 2026. CISA added the flaw to KEV on April 28 with a May 12 remediation deadline for federal agencies.
The Hacker News
CISA Releases Weekly Vulnerability Bulletin for Week of April 20, 2026
CISA published its weekly vulnerability summary covering newly disclosed CVEs from April 20–26, 2026. The bulletin documents high and critical severity flaws across network devices, enterprise software, and industrial control systems. Security teams should cross-reference the bulletin against their asset inventories and prioritize remediation for any KEV entries within the period.
CISA
Stay tuned for today’s in-depth analysis posts.
