The strange new world of server security

For us in the hosting world, April was a particularly busy month. Vulnerabilities affecting common server software ramped up, with two notable ones landing within hours of each other at the end of the month. 

We’d love to say these were exceptional, but they weren’t. In fact, they’re a sign of what’s to come. 

Two recent server vulnerabilities

• CVE-2026-41940, a remote authentication bypass in cPanel and WHM, was patched on 28th April. Every supported version was affected. In plain terms: an attacker on the public internet – with no password and no prior access – could walk past the login screen and take full control of every site running on the server. There is evidence of in-the-wild exploitation dating back to late February, months before public disclosure. 
• Copy Fail (CVE-2026-31431) is a Linux bug disclosed on 29th April 2026 by security firm Theori. It affects pretty much every mainstream Linux distribution built since 2017 – including Debian and AlmaLinux, the two we run for Cito and cPanel. The bug allows any user with even a small foothold on a server (like a compromised customer script, or an out-of-date application running as a low-privileged user) to escalate to full administrative control. Exploiting it requires that initial foothold, but in shared hosting environments where many things run on the same machine, that’s a distinction with fairly limited practical comfort. 

How did we respond?

We patched both, fast. With active exploitation reported in the wild for both, we went onto an incident footing within hours: normal change control paused, all hands on deck to secure our infrastructure. 

cPanel went first because it is remote, unauthenticated, and grants full takeover of every customer site on a box. That makes it the more dangerous of the two. As a proactive measure, we temporarily locked down cPanel access until we were able to verify that all servers were secured. Then, we deployed a patched cPanel/WHM build across our managed estate within hours and audited access logs for any sign of pre-disclosure exploitation against our fleet.  

It’s worth noting here that our Cito platform wasn’t impacted at all. We’ve built Cito in house, which means it doesn’t rely on any cPanel components. 

Copy Fail was patched across our Linux estate as soon as we had a fix. Where the official patches lagged behind public disclosure, we applied an interim workaround that closed off the vulnerable code path entirely andreplaced that with proper kernel patches as soon as they were available. 

To be unambiguous: nothing in our platform has been compromised by either vulnerability. Plus, there’s no evidence of attempted exploitation against our infrastructure. We monitor the state of the common software our customers depend on – kernel, web server, PHP, database, control panel – so that when something like this lands, we can act immediately. 

And we expect to do this a lot more from here on. 

Why we need to take AI seriously

It would be comforting to think of Copy Fail and the cPanel bug as a bad fortnight that’s now passed. They aren’t. They’re the front edge of a sustained shift that anyone running production infrastructure needs to take seriously. 

Copy Fail was found using AI-assisted vulnerability research and reportedly took roughly an hour to discover. A flaw that sat in mainline Linux for nine years, on every distribution shipped since 2017, was found in an afternoon. There are now dozens of well-funded teams – and a growing number of less well-intentioned ones – applying similar techniques. 

The most striking signal so far came at the start of April, when Anthropic (the AI lab behind Claude) announced a new model called Mythos. Mythos is reportedly so capable of finding and exploiting unknown security bugs that Anthropic decided not to release it publicly at all. Instead, they’ve handed it to a small group of major tech companies (Microsoft, Google, and Apple among them) under a programme called Project Glasswing, specifically so those companies can use it to find and fix vulnerabilities in critical software before similar capabilities become broadly available. 

In Anthropic’s own testing, the model successfully completed expert-level hacking challenges 73% of the time and found genuine zero-day vulnerabilities – bugs that nobody else knew existed – in real open-source projects.

Unfortunately, capabilities like Mythos’s won’t stay locked up at top-tier AI labs forever. The same techniques will be available to less scrupulous actors within months, not years. 

The practical consequence is straightforward: long-dormant bugs in widely deployed software are going to surface much faster than they used to, and patch windows are going to keep shrinking. This isn’t a hosting problem in particular; the same dynamics apply to your browser, your operating system, the firmware on the router under your desk, and the open-source libraries baked into every web application built in the last decade. For the next few months the world will be updating software much more rigorously than it ever has before. 

Staying ahead of this is no easy task. And that’s where managed hosting comes into its own in 2026. You have an agency to run, sites to build, and clients to serve. You shouldn’t also need to be tracking the Linux kernel security mailing list at midnight on a Friday because Mythos’s successor just shipped to a wider audience. That’s our job, and it’s one we take seriously. 

The threat landscape is getting harder for everyone. For our customers, it doesn’t need to make your job harder too. You focus on building websites; we’ll handle the CVEs. 

Protecting your code, proactively

The same dynamics that drove Copy Fail and the cPanel auth bypass are also reaching application code that runs on top of our infrastructure. WordPress core, WordPress themes and plugins, Laravel, Next.js, the long tail of npm and Composer packages – all are well-trodden territory for vulnerability research today, especially where AI’s involved. Plugins that sat unpatched for a decade are exactly the sort of thing modern vulnerability research chews through quickly. 

The security of the application code running on a server is going to matter more, not less, even on well-managed infrastructure. A patched kernel doesn’t help you if an attacker is exploiting a vulnerable WordPress plugin to gain access in the first place. 

We help where we can. We protect every site we host with Monarx, a real-time anti-malware and behavioural detection layer that catches the bulk of web shell and exploit activity even when the underlying application is vulnerable. It’s a strong second line of defence – but it is a second line of defence. The first one is keeping your themes, plugins, frameworks, and dependencies up to date. If you’ve been deferring a WordPress core update or a major plugin update because your site’s been running fine, now’s the time to act.

We’re here to stop security threats in their tracks

You can expect the same thing from us every time a new vulnerability comes close to our stack. As soon as we flag the issue, we’ll publish a notification on our status page. If the problem’s severe, we’ll email you right away.  

You can rest easy that our policies and procedures for vulnerabilities, patching, and security incidents are rock-solid. We also refine and stress-test them regularly so that responses like the past fortnight’s are routine, not dramatic. Your site security is our top priority, which is why we hold ourselves to recognised security standards like ISO 27001 and PCI DSS and never treat compliance as a tick-box exercise.  

If you have any concerns at all – about Copy Fail, the cPanel bug, or the security of your sites – we’re always here to talk. You can also take a look at our status page here, where we’ll keep you in the loop with new vulnerabilities and our patching status.