Today we also patched the WHMCS installation used for our own customer systems at 040support.nl.
At 040Hosting, WHMCS is used for our:
- billing system
- ticket system
- customer account management
Note: we do not manage WHMCS installations for customers. If you use WHMCS you must update it as soon as possible.
WHMCS Security Update
WHMCS released WHMCS 9.0.4 and WHMCS 8.13.3 as important maintenance releases for the WHMCS 9.0 and 8.13 series.
These releases address a security vulnerability tracked as:
CVE-2026-29204
According to WHMCS, this vulnerability affects WHMCS 7.4 and later.
What Happened
WHMCS confirmed that information relating to this CVE was disclosed earlier than intended due to a submission issue on their side.
To put it plainly: this was a serious mistake.
Security vulnerability details should not become public before customers have had a fair chance to patch their systems. Early disclosure increases the risk window for anyone running affected software, especially when the affected product is used for billing, automation, ticketing and customer management.
Because of this early disclosure, WHMCS accelerated the release of the patched versions so customers could update immediately.
What 040Hosting Did
040Hosting applied the WHMCS security update immediately after the patched release became available.
This was treated as a priority update because WHMCS is used for sensitive internal customer-facing systems at 040support.nl, including billing, invoicing, support tickets and customer account access.
The patch has been implemented on our side.
Customer Impact
Our own WHMCS installation at 040support.nl has been patched.
WHMCS is not included in 040Hosting hosting accounts and we do not manage customer WHMCS installations. If you run your own WHMCS installation, you are responsible for updating it yourself.
WHMCS users should update immediately to the latest patched version available for their release series.
If you are running WHMCS 9.0, update to WHMCS 9.0.4 or newer.
If you are running WHMCS 8.13, update to WHMCS 8.13.3 or newer.
Older WHMCS installations should be reviewed urgently, especially because WHMCS states that the vulnerability affects WHMCS 7.4 and later.
Why This Matters
This incident is a clear reminder that security is not only about the vulnerability itself. The way a vendor handles disclosure also matters.
When vulnerability information is released too early, whether by accident or process failure, customers are put under unnecessary pressure. It reduces the time available to prepare, test and patch in a controlled way.
That is exactly why we monitor vendor security releases closely and act quickly when patches become available.
Our goal remains simple: keep our customer-facing systems protected, stable and available.