ByteOS Network

WebPros

Source -

CNACISA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-29200

Assigner-HackerOne

View Details

Assigner-HackerOne

CVSS Score-9.9||CRITICAL

EPSS-0.04% / 12.20%

7 Day CHG~0.00%

Published-04 May, 2026 | 05:42

Updated-06 May, 2026 | 19:05

A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.

Vendor-WebPros

Product-Comet Backup

CWE ID-CWE-639

Authorization Bypass Through User-Controlled Key

CVE-2026-41940

Assigner-VulnCheck

View Details

Assigner-VulnCheck

CVSS Score-9.3||CRITICAL

EPSS-26.55% / 96.36%

7 Day CHG~0.00%

Published-29 Apr, 2026 | 15:10

Updated-06 May, 2026 | 15:48

Known KEV||Action Due Date - 2026-05-03||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

WebPros cPanel and WHM Authentication Bypass via Login Flow

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Vendor-WebPros WebPros cPanel (WebPros International, LLC)

Product-wp_squared whm cpanel cPanel WHM WP Squared cPanel & WHM and WP2 (WordPress Squared)

CWE ID-CWE-306

Missing Authentication for Critical Function