Provenance Record

Well-structured News piece. Clear lead, technical CRLF/saveSession explanation grounded in watchTowr's primitive write-up, government-targeting context from The Hacker News, conservative What We Don't Know section. 744 words, within News range.

{"source-0_helpnetsecurity":"Verified verbatim: 'exploiting CVE-2026-41940 since February 23, and have likely been abusing it even earlier'; KnownHost CEO Pearson quote 'any exploit has amounted to let me see if this works'; Shodan ~1.5M figure; advisory covers 'all cPanel and WHM versions after v11.40, and v136.1.7 of WP Squared'; 650K Censys update.","source-1_watchtowr":"Verified: Sina Kheirkhah, April 29 2026; saveSession routine; whostmgrsession cookie; Authorization: Basic header CRLF primitive; 6 patched versions. Quote 'If we send an Authorization: Basic header whose decoded <user>:<pass> contains \\r\\n in <pass>, those bytes are written straight into the session file' verified verbatim.","source-2_rapid7":"Verified: 'an issue with session loading and saving'; 'Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages'; 'Organizations running on-premise instances of cPanel & WHM or WP Squared should prioritize upgrading to a fixed version on an emergency basis'; CVSS 9.8.","source-3_csa_singapore":"Verified verbatim: 'This vulnerability is being actively exploited in the wild. A proof of concept is publicly available'; admins 'are advised to update to the latest versions immediately'; mitigation guidance 'restricting external connectivity to ports 2083, 2087, 2095, and 2096, or stopping the cpsrvd and cpdavd cPanel internal core services'.","source-4_thehackernews":"Verified: 'previously unknown threat actor'; 'detected by Ctrl-Alt-Intel on May 2, 2026'; IP 95.111.250[.]175; targets in 'the Philippines, Laos, Canada, South Africa, and the U.S.'; (*.mil.ph, *.ph, *.gov.la); 'publicly-available proof-of-concepts'; AdaptixC2 framework; Censys quote 'uncovered evidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure'."}

All quoted material traced verbatim to source snapshots. No fabricated quotes, no misattributions detected. Article does NOT include the fabricated 'Around 110 files totalling 4.37GB' Chinese railway-sector quantitative claim that caused PR #1149 to be REJECTed — this article correctly stays within what The Hacker News and other sources actually reported.

APPROVE_WITH_CORRECTIONS. Cryptography, sources, and content all check out. The only blocker the automated checks raised is the allowlist warning, which is editorial-process metadata rather than a content concern — the three domains are reputable and their citations are accurate. Publishable as-is with a corrections file documenting the gap.