While Nobody Was Watching, Our Harvester Caught Three cPanel Exploit PoCs Overnight. CVE-2026-41940.

CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog on April 30, 2026. Critical missing-authentication flaw in WebPros cPanel and WHM, plus the WP Squared bundle. The kind of bug that turns the management plane of a shared-hosting environment into an unauthenticated console.

Federal civilian agencies got a deadline. Everyone else got a problem. Most security teams woke up the next morning and started writing detection content from scratch.

Our exploit harvester woke up at 06:00 UTC on May 1 and indexed three GitHub proof-of-concept repositories that had appeared overnight. zero-x-abdoulaye slash CPANEL-CVE-2026-41940. zedxod slash CVE-2026-41940-POC. merdw slash cPanel-CVE-2026-41940-Scanner. The harvester emitted detection rules from each one — three rules from the first, one from the second, four from the third — and indexed them into our iocs index with full source attribution and reference URLs.

Nobody clicked anything. Nobody woke up early. The harvester runs on a six-hour cron, queries GitHub Search for newly-published exploit content, normalizes what it finds into detection signatures, and ships them straight into the index where customers consume them through the STIX feed.

This is the receipt.

Search the analytics search API for CVE-2026-41940 and you will see all three markers, timestamped between April 30 18:00 UTC and May 1 06:00 UTC, with the GitHub URLs in the references field. The detection rules are tagged for downstream tooling — anyone integrating our STIX feed into a SIEM gets the endpoint patterns and request shapes the PoC code is hitting, with no human in the loop on our side.

Our compute bill for that overnight catch was effectively zero. The exploit-harvester service runs on the analytics container, which is already running. The GitHub PAT lives in the Key Vault. The cron is one entry in our scheduler. From the moment a PoC repo gets pushed to GitHub to the moment our customers can query for it is, in the typical case, under three hours.

Why this works.

The general security-vendor model is human-driven. A researcher reads disclosures, decides what is interesting, hand-builds detection content, ships it through a release pipeline, customers pull updates on a schedule. That model is fine for stable threats and breaks for anything fast. CVE-2026-41940 is fast — the gap between CISA listing and weaponized PoCs on GitHub was hours, not weeks.

Context-Augmented Generation, the term Patrick has been using since Pi Day, is the alternative. Use the search APIs as substrate. Index everything that looks like a threat artifact. Let the AI agents and the cron jobs do the boring work — the pattern-matching, the deduplication, the format-normalization, the cross-correlation. Humans do the hard work — the judgment calls, the prioritization, the customer conversations, the parts where being wrong matters.

This is also why we make the keys ourselves. Every customer who pulls our STIX feed got the cPanel detection rules at the same moment we did, because there is no release pipeline between our index and their pull. The freshness delay for free-tier customers is forty-eight hours by policy — that is a tier-gating decision, not a technical limit. Paid tiers get the index live. The cPanel content for our paying customers was queryable inside an hour of the harvester run.

What you should take away.

Watch your CVE attack surface in real time. CISA KEV is a great signal, but the gap between KEV-listing and weaponized exploitation is shrinking. CVE-2026-41940 went from KEV-add to three indexed PoCs in twelve hours. If your detection content pipeline is measured in days, you are losing the early window.

Use the search APIs. Our public ones, somebody else's, your own. The grep-the-blog-post defense model is not adequate for a threat surface that updates hourly. Threat data wants to be queried, not read.

Trust automation more than yesterday and less than tomorrow. The harvester is not a magic detector. It catches public PoCs on GitHub. It does not catch zero-days, private toolkits, or threat actors who keep their work off public repos. The 95 percent cap exists for reasons. The five percent that the harvester misses is the five percent that costs the most. We know that, we plan around it, and we still ship the automation because the ninety-five percent it does catch is the part that lets the security team focus on the five percent that requires a human.

Murphy was an optimist. Cap stays at ninety-five.

Receipts at the search API. CVE-2026-41940 is the search term. Three markers, twelve hours, zero humans involved. That is what we shipped on May Day while the founder was at the protest.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com