cPanel deployed a security patch on May 13, 2026 at 1pm EST addressing five newly disclosed CVEs, the most severe rated High. The patch covers vulnerabilities distinct from the previously mass-exploited CVE-2026-41940 auth bypass; these are separate issues surfaced in the May 2026 patch cycle. Managed hosting providers including InMotion Hosting applied the patch automatically for eligible customers. Administrators running self-managed or unmanaged cPanel instances should verify the patch has been applied, as cPanel environments remain a high-value target following the April ransomware campaign tied to CVE-2026-41940. No proof-of-concept code or active exploitation was reported at disclosure, but the prior exploitation history of cPanel flaws shortens the practical window before threat actors begin probing the new fixes.