Share
## https://sploitus.com/exploit?id=18F7A2BC-0B50-5B94-9F5A-129F9415245E
# CVE-2026-0265 Passive Detector v2
> **Defensive reconnaissance & exposure-detection framework for authorized Bug Bounty targets only.**
A modular, plugin-based passive detector that identifies assets potentially affected by **CVE-2026-0265** โ a high-severity authentication bypass in **Palo Alto Networks PAN-OS** via Cloud Authentication Service (CAS). Pulls targets directly from [arkadiyt/bounty-targets-data](https://github.com/arkadiyt/bounty-targets-data).
---
## โ ๏ธ Legal Notice
**AUTHORIZED BUG BOUNTY USE ONLY.** Only scan domains from public bug bounty program scopes. No exploitation, no payloads, no active attacks.
---
## CVE-2026-0265 Overview
| Field | Details |
|-------|---------|
| **CVE** | CVE-2026-0265 |
| **CVSS** | 7.2 (High) |
| **Vendor** | Palo Alto Networks |
| **Product** | PAN-OS (PA-Series, VM-Series, Panorama) |
| **Impact** | Authentication bypass via CAS signature verification flaw |
| **Condition** | Cloud Authentication Service enabled on login interface |
## Architecture
```
cve/
โโโ main.py # Entry point
โโโ config.yaml # Configuration
โโโ requirements.txt # Dependencies
โโโ core/ # Infrastructure
โ โโโ cli.py # Click CLI (scan, update-targets, import-scope)
โ โโโ config.py # YAML config loader
โ โโโ http_client.py # Async HTTP with retry/rate-limit/proxy
โ โโโ logger.py # Rich terminal + file logging
โ โโโ rate_limiter.py # Per-host token-bucket limiter
โ โโโ worker_pool.py # Bounded async worker pool
โ โโโ cache.py # Disk cache for scan resume
โโโ scopes/ # Bounty target processing
โ โโโ __init__.py # Repo manager (clone/pull)
โ โโโ parser.py # Parse all JSON/TXT scope files
โ โโโ normalizer.py # Deduplicate & filter domains
โโโ importers/ # Platform API importers
โ โโโ hackerone.py # HackerOne structured scopes
โ โโโ bugcrowd.py # Bugcrowd target groups
โ โโโ intigriti.py # Intigriti endpoints
โ โโโ file_importer.py # Text file loader
โโโ enumeration/ # Asset enumeration
โ โโโ subdomains.py # crt.sh passive subdomain enum
โ โโโ live_hosts.py # HTTP(S) liveness probing
โ โโโ technologies.py # Technology fingerprinting
โ โโโ headers.py # Response header analysis
โ โโโ fingerprints.py # Version extraction
โโโ fingerprint/ # Advanced fingerprinting
โ โโโ waf.py # CDN/WAF detection
โโโ detection/ # Legacy detection engine
โ โโโ engine.py # Central orchestrator
โ โโโ signatures.py # YAML signature loader
โ โโโ version_matcher.py # Version range matching
โ โโโ path_checker.py # Safe path probing
โ โโโ banner_grabber.py # Banner extraction
โ โโโ favicon_hasher.py # Favicon mmh3 hashing
โโโ detectors/ # Plugin-based detection
โ โโโ base.py # Abstract detector base
โ โโโ cve_2026_0265.py # CVE-2026-0265 plugin
โ โโโ plugin_engine.py # Plugin orchestrator
โ โโโ templates/ # Nuclei-style YAML templates
โ โโโ cve-2026-0265.yaml
โโโ export/ # Report generation
โ โโโ csv_export.py # CSV output
โ โโโ json_export.py # JSON output
โ โโโ sqlite_export.py # SQLite persistence
โ โโโ report.py # Rich terminal tables
โโโ data/ # Static data
โ โโโ signatures.yaml # Detection signatures
โ โโโ example_targets.txt # Example target file
โโโ cache/ # Runtime cache (auto-created)
โโโ bounty-targets-data/ # Cloned repo
```
## Installation
```bash
cd cve
python -m venv venv
venv\Scripts\activate # Windows
pip install -r requirements.txt
```
**Requires Python 3.12+**
## Quick Start
```bash
# Step 1: Clone bounty targets data
python main.py update-targets
# Step 2: Run scan against all bug bounty targets
python main.py scan
# Step 3: Scan specific program only
python main.py scan --program "paloaltonetworks"
# Step 4: Scan specific domains
python main.py scan -d fw.example.com -d vpn.example.com
```
## CLI Commands
### `update-targets` โ Clone/update bounty-targets-data
```bash
python main.py update-targets
```
### `scan` โ Run passive CVE detection
```bash
python main.py scan [OPTIONS]
Options:
-t, --targets PATH Text file with authorized domains
-d, --domain TEXT Single domain (repeatable)
-p, --program TEXT Filter by program name
-c, --config PATH Config file (default: config.yaml)
--threads INTEGER Override concurrency
--rate-limit INTEGER Override rate limit per host
-o, --output TEXT Output directory
--no-subdomains Skip crt.sh enumeration
--only-live Stop after live host discovery
--tech Show detailed tech fingerprints
--resume Resume interrupted scan
--scan-id TEXT Scan ID for resume
--debug Enable debug logging
--proxy TEXT HTTP proxy URL
--json-only JSON report only
--csv-only CSV report only
--no-sqlite Skip SQLite storage
```
### `import-scope` โ Import from platform API
```bash
python main.py import-scope -s hackerone -p program_handle
python main.py import-scope -s bugcrowd -p program_slug
python main.py import-scope -s intigriti -p program_id
```
## Scan Pipeline
```
โโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Target Loading โ bounty-targets-data / text files / CLI
โโโโโโโโโโโฌโโโโโโโโโโโโ
โผ
โโโโโโโโโโโโโโโโโโโโโโโ
โ 2. Subdomain Enum โ crt.sh Certificate Transparency
โโโโโโโโโโโฌโโโโโโโโโโโโ
โผ
โโโโโโโโโโโโโโโโโโโโโโโ
โ 3. Live Discovery โ HTTP(S) probing on ports 80/443/8443/4443
โโโโโโโโโโโฌโโโโโโโโโโโโ
โผ
โโโโโโโโโโโโโโโโโโโโโโโ
โ 4. CVE Detection โ Plugin engine โ all registered detectors
โ โโ Header analysis โ
โ โโ Body matching โ
โ โโ Version check โ
โ โโ Path probing โ
โ โโ Favicon hashing โ
โ โโ WAF detection โ
โ โโ CAS indicators โ
โโโโโโโโโโโฌโโโโโโโโโโโโ
โผ
โโโโโโโโโโโโโโโโโโโโโโโ
โ 5. Reporting โ Terminal + CSV + JSON + SQLite
โโโโโโโโโโโโโโโโโโโโโโโ
```
## Target Sources
The tool parses all files from `arkadiyt/bounty-targets-data`:
| File | Platform | Format |
|------|----------|--------|
| `hackerone_data.json` | HackerOne | Structured scopes |
| `bugcrowd_data.json` | Bugcrowd | Target groups |
| `intigriti_data.json` | Intigriti | Endpoints |
| `yeswehack_data.json` | YesWeHack | Web applications |
| `federacy_data.json` | Federacy | Targets |
| `domains.txt` | Aggregated | One domain per line |
| `wildcards.txt` | Aggregated | Wildcard domains |
## Detection Methods
| Technique | Confidence | Method |
|-----------|------------|--------|
| Version range match | High (95%) | Extract PAN-OS version, check against known vulnerable ranges |
| Server header | High (85%) | "PanWeb Server" in Server header |
| X-PANW-* headers | High (80%) | Palo Alto proprietary headers |
| CAS body indicators | High (85-90%) | "Cloud Authentication" / "cas-login" in body |
| Path probing | Medium (60-80%) | HEAD requests to `/php/login.php`, `/global-protect/login.esp` |
| Favicon hash | Medium (80-85%) | mmh3 hash comparison against known PAN-OS favicons |
| Body keywords | Medium (55-65%) | "PAN-OS", "GlobalProtect", "Palo Alto Networks" |
| Cookie names | Medium (70%) | PANW_SESSID in Set-Cookie |
## Output Formats
### Reports directory structure
```
reports/
โโโ scan_2026-05-21_01-30-00.csv # CSV report
โโโ scan_2026-05-21_01-30-00.json # JSON report
โโโ findings.db # SQLite database
```
### SQLite Schema
```sql
-- Query vulnerable findings
SELECT hostname, version, confidence, status
FROM findings
WHERE status = 'VULNERABLE'
ORDER BY confidence DESC;
-- Scan history
SELECT * FROM scans ORDER BY started_at DESC;
```
## Safety Guarantees
- โ
Passive and non-intrusive only
- โ
No exploitation or payload delivery
- โ
No authentication bypass attempts
- โ
No brute force or fuzzing
- โ
No shell execution or RCE
- โ
No destructive requests (HEAD/GET only)
- โ
Per-host rate limiting (configurable)
- โ
User confirmation before scanning
- โ
Only scans public bug bounty scope targets
- โ
CDN/WAF awareness
## Configuration
See `config.yaml` for all options. Key environment variables:
```bash
# Override at runtime
CVE_CONCURRENCY=10
CVE_RATE_LIMIT=3
CVE_TIMEOUT=15
# Bug bounty platform API tokens
HACKERONE_API_USERNAME=...
HACKERONE_API_TOKEN=...
BUGCROWD_API_TOKEN=...
INTIGRITI_API_TOKEN=...
```
## License
For authorized security research only. Use responsibly.