CVE-2026-40686 cPanel CVE debrief

Who should care

Administrators of cPanel/WHM servers, especially internet-facing mail hosts and managed hosting environments running Exim through cPanel packages.

Technical summary

According to cPanel’s official advisory, several Exim vulnerabilities affect versions prior to 4.99.2, including CVE-2026-40686. cPanel states that a fixed cpanel-exim package has been released and is included in cPanel/WHM versions 136.0.7, 134.0.23, 118.0.64, and 110.0.112. The advisory links the remediation to CPANEL-53011 and explicitly says the update fixes CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687. No additional per-CVE impact details are provided in the supplied source.

Defensive priority

High for any cPanel/WHM deployment that uses Exim and has not yet been updated to a patched build.

Recommended defensive actions

• Upgrade cPanel/WHM to one of the vendor-patched builds: 136.0.7, 134.0.23, 118.0.64, or 110.0.112.
• Verify that the installed cpanel-exim package is at version 4.99.2 or the vendor-fixed equivalent.
• Prioritize patching on servers that handle external mail traffic or are exposed to the internet.
• Check vendor change logs for CPANEL-53011 to confirm the fix is present in your release stream.
• If you cannot patch immediately, increase monitoring of mail service logs and administrative access until the update is applied.

Evidence notes

Primary evidence comes from cPanel’s official support article published 2026-05-05 and updated 2026-05-11. The article states that Exim versions prior to 4.99.2 are impacted and that the fix is included in cPanel/WHM versions 136.0.7, 134.0.23, 118.0.64, and 110.0.112. No CVSS score, exploit details, or standalone technical description for CVE-2026-40686 were provided in the supplied corpus.

Official resources