CVE-2026-40687 cPanel CVE debrief

Who should care

cPanel/WHM administrators and security teams responsible for systems that include the Exim package (cpanel-exim), especially deployments that have not yet moved to cPanel/WHM 136.0.7, 134.0.23, 118.0.64, or 110.0.112.

Technical summary

The vendor advisory states that several security vulnerabilities were reported in Exim and that versions prior to 4.99.2 are affected. cPanel says it has updated cpanel-exim to 4.99.2 and ties the fix to CPANEL-53011, with the patched package available in cPanel/WHM 136.0.7, 134.0.23, 118.0.64, and 110.0.112. No root cause, attack path, or exploitation details are provided in the supplied source for CVE-2026-40687 specifically.

Defensive priority

High: the vendor has published and already shipped a fix, so affected cPanel/WHM environments should be moved to a patched build as soon as practical. The supplied source does not provide enough detail to assign a more precise severity.

Recommended defensive actions

• Upgrade cPanel & WHM to one of the patched build versions listed by the vendor: 136.0.7, 134.0.23, 118.0.64, or 110.0.112.
• Verify that cpanel-exim has been updated to 4.99.2 on each affected system.
• Inventory cPanel/WHM instances running versions earlier than the patched builds and prioritize them for remediation.
• Track CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687 together, since the vendor advisory treats them as a related set.
• Monitor the vendor advisory and official CVE/NVD records for any later scoring or technical clarification.

Evidence notes

Vendor advisory published 2026-05-05T15:45:46Z and updated 2026-05-11T20:04:50Z. The source states that Exim versions prior to 4.99.2 are affected and that updated cpanel-exim 4.99.2 is available in cPanel/WHM 136.0.7, 134.0.23, 118.0.64, and 110.0.112, fixing CVE-2026-40684 through CVE-2026-40687. The supplied corpus does not include CVSS, exploitability details, or a root-cause description for CVE-2026-40687.

Official resources