PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40685 cPanel CVE debrief

cPanel’s advisory groups CVE-2026-40685 with three related Exim issues and states that versions of Exim prior to 4.99.2 are affected. For cPanel/WHM customers, the vendor says a patched Exim package is already available in specific builds, so the practical response is to move to the fixed cPanel/WHM release rather than waiting for a separate standalone remediation note.

Vendor
cPanel
Product
cPanel/WHM
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-05-11
Advisory published
2026-05-05
Advisory updated
2026-05-11

Who should care

cPanel/WHM administrators and operations teams running Exim through cPanel-managed packages, especially any systems on builds older than the vendor-published fixed versions.

Technical summary

The vendor advisory provides limited technical detail for this specific CVE, but it clearly identifies Exim as the affected component and says the vulnerability applies to versions prior to 4.99.2. cPanel states that the bundled cpanel-exim package was updated to 4.99.2 and that the fix is present in cPanel/WHM versions 136.0.7, 134.0.23, 118.0.64, and 110.0.112. The advisory groups CVE-2026-40685 with CVE-2026-40684, CVE-2026-40686, and CVE-2026-40687, and does not separate the impact or exploitation conditions for each ID in the source provided.

Defensive priority

High for environments using cPanel/WHM-managed Exim packages, because the vendor has already shipped corrected builds and explicitly directs customers to update. The source corpus does not provide enough detail to rank exploitability beyond the vendor’s remediation guidance.

Recommended defensive actions

  • Upgrade cPanel/WHM to one of the vendor-published fixed builds: 136.0.7, 134.0.23, 118.0.64, or 110.0.112.
  • Verify that the installed cpanel-exim package reports version 4.99.2 or later after the upgrade.
  • Inventory any cPanel/WHM systems still on older release trains and schedule updates as a priority maintenance item.
  • Use the vendor advisory and official CVE/NVD records to track any later detail changes for this CVE and the related Exim advisories.

Evidence notes

Primary evidence is the cPanel support article titled “Exim CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687,” published 2026-05-05 and modified 2026-05-11. The advisory states that Exim versions prior to 4.99.2 are impacted and that the fix is included in cPanel/WHM builds 136.0.7, 134.0.23, 118.0.64, and 110.0.112. The source corpus does not include independent technical root-cause details for CVE-2026-40685 specifically.

Official resources

Vendor advisory published by cPanel on 2026-05-05 and updated on 2026-05-11. The supplied source does not indicate this CVE as a KEV item or provide an exploitation timeline.