CVE-2026-40684 cPanel CVE debrief

Who should care

cPanel/WHM administrators and operations teams responsible for systems that use the bundled Exim package, especially any deployment still running a build older than 136.0.7, 134.0.23, 118.0.64, or 110.0.112.

Technical summary

The vendor advisory groups CVE-2026-40684 with CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687 and states that the issue affects Exim versions prior to 4.99.2. cPanel indicates the fix was delivered by updating cpanel-exim to 4.99.2 via CPANEL-53011 in the listed patched cPanel/WHM versions.

Defensive priority

High for any cPanel/WHM installation that has not yet received one of the patched builds, because the vendor has already released a fix and recommends upgrading immediately.

Recommended defensive actions

• Upgrade cPanel/WHM to one of the vendor-patched builds: 136.0.7, 134.0.23, 118.0.64, or 110.0.112.
• Verify the installed cpanel-exim package version is 4.99.2 or later after upgrading.
• Review fleet inventory for any cPanel/WHM systems still on older builds and prioritize those for remediation.
• Monitor vendor changelogs and security advisories for any follow-up guidance related to the grouped Exim CVEs.

Evidence notes

Vendor advisory published 2026-05-05 and updated 2026-05-11 states: 'Several security vulnerabilities were reported in Exim, impacting versions prior to 4.99.2' and that an updated Exim package is already available in cPanel versions 136.0.7, 134.0.23, 118.0.64, and 110.0.112. The advisory also references 'Fixed CPANEL-53011: Update cpanel-exim to 4.99.2' and lists CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687.

Official resources