cPanel & WHM Authentication Bypass via Session-File CRLF Injection

Repository contains a single Python exploit script and a README. The main file, cPanelSniper.py, is a standalone stdlib-only exploitation tool for CVE-2026-41940 in cPanel & WHM. It implements a multi-stage unauthenticated authentication bypass chain: discover the canonical WHM hostname using /openid_connect/cpanelid, obtain a pre-auth whostmgrsession cookie from /login/?login_only=1, send a CRLF-injected Authorization header to poison the server-side session file, trigger propagation using /scripts2/listaccts, and verify root-level WHM access through a tokenized /json-api/version request. The script supports single-target, bulk-file, and piped-input scanning with threading and JSON output. Beyond verification, it includes post-exploitation actions described in the code/comments and README: changing the root password, executing arbitrary commands through /json-api/scripts/exec, creating a new WHM account, and listing existing cPanel accounts. The README documents affected versions, exploitation stages, and usage examples. Overall, this is an operational exploit/scanner rather than a mere detector, with built-in post-auth abuse capabilities once the bypass succeeds.

This repository is a standalone Python exploit project, not tied to a common exploitation framework. It contains 9 files total, with the main entry point in CVE-2026-41940.py and supporting Python modules under system/. The codebase is heavily obfuscated with PyArmor: the main script, system/__init__.py, system/core.py, and system/styles.py all wrap encrypted bytecode via __pyarmor__. Because of that, the exact exploit chain, HTTP paths, request structure, and payload behavior cannot be directly extracted from the provided source. What is still clear from the unobfuscated metadata is the intended purpose: a Linux-targeted, GUI-based Python 3 exploit tool for CVE-2026-41940 against WHM/cPanel services. The README states the target is WHM/WebHost Manager and cPanel exposed on port 2087, and requirements.txt shows dependencies on PyQt5 and urllib3, indicating a desktop GUI front-end with network communication capabilities. Dork.txt contains discovery queries specifically aimed at finding WHM/cPanel instances on port 2087, reinforcing that the attack vector is remote web/network exploitation. Repository structure appears partially inconsistent with the README: README references system/gui.py and system/workers.py, but those files are not present in the provided file list. Present files include obfuscated runtime loaders and a large obfuscated system/core.py that likely contains the actual exploit logic. Given the presence of a GUI, network library dependency, and dedicated target-discovery dorks, this is best classified as an operational exploit tool, though the exact payload/result cannot be confirmed due to obfuscation.

This repository is a small single-purpose Python exploit/scanner for CVE-2026-41940 affecting cPanel & WHM. The repo contains one main code file (Scan-CVE-2026-41940.py), two README files (English and Persian), a minimal requirements.txt, and a license. The Python script is the operational entry point and implements a multi-stage unauthenticated network exploit against WHM over HTTPS, typically on port 2087. The exploit logic, as documented in both the README and script header, abuses CRLF injection in the Authorization: Basic header to poison an on-disk WHM session file before sanitization occurs. The chain is structured as: discover canonical hostname via /openid_connect/cpanelid redirect, obtain a pre-auth whostmgrsession cookie from /login/?login_only=1 using bad credentials, send a poisoned Authorization header to /, trigger session propagation with /scripts2/listaccts, and verify success through a tokenized /cpsess.../json-api/version request. Successful exploitation yields a forged WHM root session. Beyond detection, the script includes post-exploitation capability. Based on the embedded usage/help text and comments, supported actions include listing cPanel accounts, changing the root password, creating a new WHM account, and executing arbitrary commands through /json-api/scripts/exec. That makes this more than a simple checker: it is an operational exploit with administrative follow-on actions once the forged session is established. The code appears to support single-target and bulk scanning modes, threaded execution via ThreadPoolExecutor, stdin/list-based target ingestion, JSON result output, colored logging, timeout/thread/rate-limit options, and graceful interrupt handling. requirements.txt lists selenium, but the script header claims stdlib-only and the visible imports are all Python standard library modules, so selenium does not appear central to the main exploit path. Overall, this is a real exploit repository rather than a detection-only script or README-only PoC. It targets unauthenticated remote compromise of WHM administrative access and exposes clear fingerprintable endpoints tied to the exploit stages and post-exploitation workflow.

This repository is a small standalone Python exploit project consisting of LICENSE, README.md, and a single executable script, exploit.py. It is not part of a larger exploit framework. The README describes a cPanel/WHM authentication bypass tied to CVE-2026-41940 and claims support for account leakage, session hijacking, proxying, stealth options, retries, and keep-alive behavior. The main logic resides in exploit.py, which defines a CVE202641940Exploit class and a CLI entry point. The script uses requests for HTTP(S) interaction, urllib.parse for target parsing, regex to extract redirect hostnames, base64 to encode a forged authentication payload, and optional colorama for terminal output. It normalizes the target URL, expects cPanel/WHM ports 2087 or 2083, and attempts canonical host discovery by requesting /openid_connect/cpanelid and parsing the redirect Location header. A notable hardcoded payload is a newline-delimited forged auth blob containing fields such as successful_internal_auth_with_timestamp, user=root, tfa_verified=1, and hasroot=1. This indicates the exploit’s core capability is session/authentication forgery rather than code execution. Based on the README and visible code structure, the intended workflow is: parse target, discover canonical host, send crafted HTTP requests carrying the forged auth material, obtain a privileged session cookie/security token, enumerate cPanel accounts, optionally export results, and optionally keep the session alive. There is no evidence in the provided content of a reverse shell, arbitrary command execution payload, malware behavior, destructive logic, or persistence beyond maintaining the hijacked web session. The exploit is therefore best characterized as an operational web/network authentication bypass and information disclosure tool targeting cPanel/WHM administrative interfaces.

Single-file Python exploit targeting CVE-2026-41940 in cPanel/WHM. The script is an operational mass-target exploitation tool rather than a simple detector: it supports concurrent scanning with ThreadPoolExecutor, processes multiple targets, logs successes/failures, and writes both detailed results and token material to output files. The visible code shows a staged workflow: discover the canonical WHM host using /openid_connect/cpanelid, perform a failed login to harvest a whostmgrsession cookie from /login/?login_only=1, send a crafted Basic Authorization header containing a hardcoded internal-auth style blob to / while replaying the session cookie, then parse a redirected /cpsess########## path indicating elevated session establishment. It next probes /scripts2/listaccts to check session propagation and, based on the banner and main routine output, proceeds to create a reseller account using a createacct flow with reseller_without_domain=1. The script includes username/password generation helpers, disables TLS verification, sets explicit Host headers, and appears designed for stealthy account creation without changing existing passwords. Overall purpose: automate authentication bypass against exposed WHM instances and convert successful compromise into persistent privileged access via newly created reseller credentials.

Repository contains a single substantial Python exploit script (main.py) plus documentation (readme.md). The script presents itself as an 'Advanced cPanel/WHM Authentication Bypass Framework' for CVE-2026-41940. Its core purpose is to exploit an alleged CRLF injection in the cPanel/WHM cpsrvd Basic authentication flow to create or modify session state so the attacker is treated as root. The code defines default injected session fields (successful_internal_auth_with_timestamp, user=root, tfa_verified=1, hasroot=1), a base64-encoded default payload, target port sets for cPanel/WHM services, concurrency settings, and randomized user-agent support. Operationally, the tool supports single-target exploitation, batch processing, and multi-threaded scanning/validation. The README and visible code indicate an attack chain of: minting a session via /login/?user=root, sending a crafted Authorization header carrying CRLF-delimited injected values, promoting the session via a cpsess login_only endpoint, and then using cpsess execute/API paths for post-authentication actions. The latter stages are reinforced by code references to post-exploitation modules and an InteractiveShell class. Capabilities visible from the code and trailing main routine include enumeration of accounts, changing the root password, adding an SSH key for root, printing a login URL with the obtained cpsess token, and optionally launching an interactive shell mode. The script appears to maintain structured exploitation results including target, canonical host, port, session base, cpsess token, extracted cPanel version, HTTP status codes, timing, and errors. The README is somewhat inconsistent with the code: parts describe a Host-header/password-reset style bypass, while the Python source header and constants clearly implement a CRLF-in-Basic-auth/session-injection concept. Despite that inconsistency, the repository is not merely a detector; it is intended as an exploitation and post-exploitation utility. No evidence in the provided content suggests destructive fake behavior. Overall maturity is best classified as OPERATIONAL: it includes a hardcoded working-style payload and multiple post-exploitation actions, but it is not obviously part of a larger reusable exploitation framework like Metasploit.

Repository contains a single Python exploit/scanner (cPanelSniper.py) plus a README. The Python file is the operational component and implements a multithreaded, stdlib-only web exploit workflow for the claimed cPanel & WHM authentication bypass CVE-2026-41940. Based on the visible code and README, the tool disables TLS certificate validation, uses urllib for HTTP(S), supports single-target mode and streaming bulk scans from a file, includes resume support, periodic JSON result saving, colored logging, and concurrent execution via ThreadPoolExecutor. The exploit logic is described as a 4-stage chain: discover the canonical hostname via /openid_connect/cpanelid, mint a pre-auth session via POST /login/?login_only=1, send a crafted Authorization: Basic header containing a base64-encoded CRLF payload to poison the server-side session file, trigger propagation using /scripts2/listaccts, then verify privileged WHM access through a /cpsess.../json-api path. The embedded payload is hardcoded and specifically aims to set root-equivalent session attributes (user=root, hasroot=1, tfa_verified=1, successful_internal_auth_with_timestamp=9999999999). This makes the repository an exploit rather than a detector. Structure is minimal: README.md documents the vulnerability, attack stages, usage claims, and references; cPanelSniper.py is the main entry point with CLI parsing, HTTP request helpers, SSL context handling, logging, stats, output persistence, and streaming target processing. No external framework or third-party dependency is used. Overall purpose is mass exploitation/scanning of internet-exposed cPanel/WHM instances for the claimed auth bypass, with operational features suited for large target lists.

Repository contains a single Python 2.7 exploit script and a README. The main file, CVE-2026-41940.py, is a multithreaded mass-exploitation tool targeting WHM/cPanel for CVE-2026-41940. It normalizes targets to HTTPS, defaults to port 2087, optionally discovers a canonical hostname through /openid_connect/cpanelid, and uses a custom HTTP wrapper with a forged Host header. The exploit flow is staged: first it requests /login/?login_only=1 with invalid root credentials to mint a pre-auth whostmgrsession cookie; next it sends a crafted Basic Authorization header containing a base64-encoded CRLF/header injection payload together with the session cookie to /, then parses the redirect Location header for a leaked /cpsess token; then it calls /scripts2/listaccts to propagate the session state; finally, per the README and visible result handling, it verifies access through WHM JSON API and attempts to change the root password to the hardcoded value Jenderal92. Successful compromises are appended to res.txt in a URL|user|password format. The script includes socket-based port checks, timeout/error handling, concurrent execution via ThreadPoolExecutor, and logging for success/failure states. This is not merely a detector: it performs authenticated post-exploitation by changing credentials, making it an operational exploit with a hardcoded payload rather than a generic framework module.

This repository is a small standalone Python exploit project centered on a single executable script, cpanelCVE.py, with a README and a one-line requirements.txt listing Selenium. It is not part of a larger exploit framework. The script targets the claimed CVE-2026-41940 in cPanel & WHM and is designed to achieve WHM root authentication bypass rather than mere detection. Repository structure is simple: README.md documents the attack flow and usage; cpanelCVE.py contains the exploit logic, HTTP handling, SSL bypass behavior, argument parsing, and browser automation/manual-login helpers; requirements.txt supports the optional Selenium-based auto-login feature. The Python script is the clear entry point and contains the full exploit workflow. Core exploit capability: the script performs a multi-stage web attack against a WHM service. It first normalizes the target by querying /openid_connect/cpanelid to discover the canonical hostname. It then sends a POST to /login/?login_only=1 with invalid credentials to obtain a pre-auth whostmgrsession cookie. Next, it uses a crafted Basic Authorization header containing a base64-encoded CRLF payload intended to write attacker-controlled fields into the server-side session file, including indicators for successful internal auth, root username, TFA verified, and hasroot=1. The README states a propagation step then triggers an internal gadget to flush the poisoned raw session into the live cache, after which the script verifies success by requesting /json-api/version and expecting authenticated version data. Operationally, the exploit disables TLS certificate validation, uses a browser-like User-Agent, supports custom target URLs, and defaults to the WHM port 2087. On success, it can either automate login using Selenium with Chrome or Firefox, or print JavaScript console commands that set the whostmgrsession cookie for the target domain and redirect the browser into the WHM interface. This makes the exploit more than a bare PoC: it includes a practical post-exploitation access mechanism, but payload customization is limited and purpose-built, so OPERATIONAL is the best fit. Notable fingerprintable artifacts include the WHM endpoints /openid_connect/cpanelid, /login/?login_only=1, and /json-api/version; the targeted management port 2087; the whostmgrsession cookie name; and the malicious Authorization header carrying the CRLF injection payload. Overall, the repository's purpose is to obtain and operationalize unauthorized root-level WHM web access on vulnerable cPanel systems.

Single-file Python exploit tool targeting CVE-2026-41940 in cPanel/WHM. The repository contains one operational script, whmxploit.py, which implements a multistage authentication bypass/session forgery workflow against WHM over HTTPS, defaulting to port 2087. The script is not part of a larger exploit framework. Structure and purpose: the file includes banner/CLI handling, target parsing, threaded execution, HTTP helper routines, and staged exploitation logic. It accepts either a single target or a targets file, supports concurrent scanning with ThreadPoolExecutor, suppresses TLS verification warnings, and aggregates results into JSON-compatible records. It can operate in check-only mode or exploitation mode. Main exploit capabilities: (1) normalize and load targets; (2) discover the canonical WHM hostname by requesting /openid_connect/cpanelid and parsing the redirect Location header; (3) perform a failed POST to /login/?login_only=1 to harvest a whostmgrsession cookie; (4) reuse that cookie while sending a crafted Basic Authorization header containing CRLF-injected internal auth fields for root, MFA-verified, and hasroot state; (5) parse the resulting redirect for a /cpsess########## token; (6) test privileged endpoint access via /scripts2/listaccts and /json-api/version; and (7) likely perform a post-auth privileged action such as changing the root password when a password argument is provided. The script classifies outcomes such as VULNERABLE, EXPLOITED, PATCHED, TIMEOUT, CONNREFUSED, ERROR, and NO_SESSION. Fingerprintable behavior/endpoints: the exploit consistently targets WHM HTTPS services on port 2087 and uses the paths /openid_connect/cpanelid, /login/?login_only=1, /, /scripts2/listaccts, and /cpsess##########/json-api/version. It also relies on the whostmgrsession cookie name and Host header manipulation using a discovered canonical hostname. Overall assessment: this is a real exploit, not merely a detector. It contains a hardcoded auth-forgery payload and automated verification logic, making it an operational exploit rather than a simple proof of concept.

Repository contains two Python files: a primary exploit (exploit.py) and an unrelated auxiliary downloader/browser utility (grab.py). The main exploit targets cPanel/WHM and is labeled as CVE-2026-41940, describing an auth bypass chain involving CRLF/header injection, session forgery, and root-level WHM access. The exploit workflow is staged: it parses single or bulk targets, defaults to HTTPS on port 2087, probes /openid_connect/cpanelid to determine the canonical host, performs a pre-auth POST to /login/?login_only=1 to obtain a whostmgrsession cookie, then sends a crafted Basic Authorization header containing newline-separated internal authentication fields alongside the session cookie to induce a privileged session. It extracts a /cpsess########## token from a redirect Location header and continues exploitation in later stages (partially truncated in the provided content). The script supports multithreaded scanning/exploitation, check-only mode, result aggregation, and writes successful hits to success.txt. A notable malicious capability is outbound notification to a hardcoded Telegram bot API endpoint, including the target host and a hardcoded password string in the message. The second file, grab.py, is not part of the exploit chain; it is a Textual-based TUI utility that lists and downloads files from a public PulsedMedia-hosted directory. Overall, this is an operational web/network exploit with scanning and exploitation logic, plus built-in operator notification/exfiltration.

Repository is a small standalone Python proof-of-concept exploit with 3 files: a README describing the attack flow and usage, a single main exploit script (cpanelCVE.py), and a requirements.txt listing Selenium for optional browser automation. The exploit is not part of a larger framework. The main script implements an end-to-end authentication bypass workflow against cPanel & WHM, targeting the claimed CVE-2026-41940. Its structure includes: argument parsing and banner output; low-level HTTP helpers using urllib; TLS verification disabling to tolerate self-signed/invalid certificates; canonical host discovery through /openid_connect/cpanelid; pre-auth session acquisition by POSTing to /login/?login_only=1; CRLF/header-based session poisoning using a hardcoded base64 payload intended to write root-related fields into the server-side session; a propagation step referenced in the README as an internal token-denied gadget; verification of elevated access through /json-api/version; and post-exploitation session use through either Selenium-driven browser automation or manual JavaScript cookie injection instructions. Notable capabilities: it performs active exploitation rather than mere detection; it targets a remote web management interface; it extracts and reuses the whostmgrsession cookie; it can automatically launch Chrome or Firefox and inject the session for interactive WHM access; and it provides a manual fallback that prints browser console commands to set the cookie and redirect into the WHM dashboard. The code uses a realistic desktop browser User-Agent and custom Host header handling, suggesting it is designed to cope with canonical-host redirects and virtual-host behavior. Overall, this repository appears to be an operational PoC for remote root-authentication bypass of WHM, with both API verification and browser-session takeover functionality.

Repository contains a small standalone Python exploit and a README. The main file, cpanel_exploit.py, implements a four-stage attack chain for the claimed CVE-2026-41940 against cPanel/WHM. Stage 1 sends a POST request to /login/?login_only=1 with invalid credentials to mint a pre-auth session and capture the whostmgrsession cookie. Stage 2 sends a GET request to / with a crafted Basic Authorization header whose decoded username contains CRLF sequences and the injected line hasroot=1, attempting to alter server-side session state and obtain a redirected cpsess token. Stage 3 requests /scripts2/listaccts to trigger a session-cache propagation behavior the author treats as necessary for privilege state to take effect. Stage 4 requests /<cpsess_token>/json-api/version and treats HTTP 200 with a version field as confirmation of root-level WHM access. The script supports single-target and bulk-host modes, optional Tor routing through socks5h://127.0.0.1:9150, configurable port/delay, a verify-only mode that stops after token leakage, and JSON result output per host plus a summary file. Overall, this is an operational web/network exploit for authentication bypass and privilege escalation, not merely a detector, though its payload is fixed and purpose-built rather than framework-driven or highly modular.

Repository contains two Python exploit scripts and a minimal README. The code is a direct exploitation tool, not a detector. Both single.py and mass.py target WHM/cPanel over HTTPS, defaulting to port 2087, and implement a multi-stage authentication bypass flow labeled as CVE-2026-41940. The exploit first probes /openid_connect/cpanelid to learn the canonical hostname from a redirect, then POSTs to /login/?login_only=1 with invalid root credentials to mint a pre-auth whostmgrsession cookie. It next sends a crafted Basic Authorization header containing embedded CRLF-style data plus the session cookie to /, expecting a redirect that leaks a /cpsess########## security token. A follow-up request to /scripts2/listaccts is used as a propagation/gadget step, after which the script verifies privileged access through /json-api/version. If verification succeeds, it calls the WHM passwd API to change the root password for user root. single.py is an interactive single-target exploit that prompts for a target and new root password, then performs the full chain and reports success. mass.py extends the same logic to bulk targeting from a file, supports concurrent execution with ThreadPoolExecutor, classifies hosts as vulnerable/patched/error states, and writes successful results to NihResultnya.txt. The embedded payload is hardcoded rather than operator-customizable, so the repository is best classified as OPERATIONAL rather than weaponized.

Repository contains a small standalone Python exploit and a README. The main file, CVE-2026-41940.py, is the sole code artifact and serves as the entry point. It targets cPanel/WHM over HTTPS and automates a claimed authentication bypass for CVE-2026-41940. The exploit workflow is: normalize target input, create a requests session with TLS verification disabled, POST to /login/?login_only=1 to obtain a session cookie, extract either a whostmgrsession or cpsession identifier from the Set-Cookie header, build a base64-encoded Basic Authorization header containing CRLF-injected fields that assert root privileges and a forged cp_security_token, then repeatedly send requests to / and /cpsess1337133713/scripts2/listaccts to trigger a race/cache regeneration condition. Finally, it verifies success by requesting /cpsess1337133713/json-api/version?api.version=1 and checking for a version field in the response. If successful, it prints a root-access message and a PoC URL to /cpsess1337133713/main.html. The README explains the claimed impact, affected service ports, mitigation guidance, and usage examples. Overall, this is an operational PoC exploit for remote web-based authentication bypass against exposed cPanel/WHM instances, not merely a detector.

This repository is a small Python exploit toolkit for a claimed cPanel/WHM authentication bypass (CVE-2026-41940). It contains two executable scripts: exploit.py for single-target exploitation and mass.py for batch exploitation against multiple WHM hosts. requirements.txt lists requests and urllib3, and the GitHub Actions workflow only performs Python syntax checks. The exploit logic is explicit and operational rather than merely demonstrative. Both scripts disable TLS certificate verification, parse a target URL, and default to WHM port 2087. They first query /openid_connect/cpanelid to infer the canonical hostname from a redirect. Next, they POST to /login/?login_only=1 with bogus root credentials to obtain a whostmgrsession cookie. They then send a GET / request with a crafted Basic Authorization header containing a base64-encoded CRLF injection payload that asserts root identity and internal-auth flags (successful_internal_auth_with_timestamp, user=root, tfa_verified=1, hasroot=1). If successful, the server leaks a /cpsess########## token in a redirect Location header. After token leakage, the scripts call /scripts2/listaccts as a propagation/cache gadget and then verify privileged access by requesting {token}/json-api/version. If verification succeeds, the operator has WHM root-level API access. The mass.py script optionally weaponizes this further by calling {token}/json-api/passwd?api.version=1&user=root&password=... to change the root password across one or more targets. In exploit.py, the password-change helper exists but is commented out; instead, the script prints guidance that the operator can log in and use WHM terminal functionality to obtain a root shell. Repository structure is straightforward: exploit.py is the main single-host exploit, mass.py wraps the same stages in a loop over targets from --target or --file, README.md documents the attack chain and usage, and CI only validates syntax. Overall purpose: automate unauthorized acquisition of privileged WHM session context and optionally perform post-auth administrative actions, especially root password reset, against vulnerable cPanel/WHM servers.

This repository is a small standalone Python exploit for CVE-2026-41940 affecting cPanel/WHM. It contains two files: a minimal README.py with usage examples and the main exploit script cpan.py. The script is not part of a larger exploitation framework. The exploit supports two modes: detection and exploitation. In detection mode, it checks TCP reachability on the target port (default 2087), resolves a canonical hostname using /openid_connect/cpanelid, and attempts to identify the installed cPanel version from /json-api/version, /xmlapi/version, or the root page. It compares the discovered version against hardcoded patched thresholds for several 11.x branches and reports likely vulnerable, likely patched, or inconclusive. In exploitation mode, the script performs a four-stage network attack chain: (1) obtain a pre-auth WHM session cookie from /login/?login_only=1 using dummy root credentials; (2) send a crafted Authorization header containing a base64 payload with CRLF-separated fields to inject privileged authentication state and recover a /cpsess########## token from the redirect; (3) access /scripts2/listaccts to propagate/validate the injected state; and (4) verify root-level access by querying <token>/json-api/version. On success, it reports unauthenticated root access. Post-exploitation capabilities are built in. Without --exec, it performs read-only enumeration of version and account data through the JSON API. With --exec CMD, it invokes the cPanel Exec API to run an arbitrary command on the target. The code also warns when the canonical hostname differs from the supplied host, indicating possible shared-hosting impact across multiple tenants. Overall, this is an operational exploit with a hardcoded payload and direct post-exploitation actions. Its primary purpose is to validate and exploit an authentication bypass in exposed WHM services, yielding privileged session access and optional command execution.

This repository is a small, single-purpose Python verification tool for CVE-2026-41940 affecting cPanel & WHM. It contains only two files: a README with vulnerability context, patched versions, usage, and remediation guidance; and one executable Python script, verify_cve2026_41940.py, which implements the verification logic. The script is not just passive detection; it performs an active authentication-bypass attempt against a remote WHM target. Its workflow is: resolve the canonical host by requesting /openid_connect/cpanelid and parsing the redirect Location header; create a pre-auth session by POSTing invalid credentials to /login/?login_only=1 and extracting the whostmgrsession cookie; send a crafted Basic Authorization header containing forged internal-auth fields (including user=root, hasroot=1, tfa_verified=1, and a far-future successful_internal_auth_with_timestamp) to /; parse the redirect for a leaked /cpsess########## path; trigger follow-on behavior with /scripts2/listaccts; and finally verify unauthorized privileged access by requesting <cpsess>/json-api/version?api.version=1. A 200 response containing a version field, or certain license-related 500/503 responses, is treated as evidence of successful exploitation. Notable implementation details: the script uses Python standard-library modules only (argparse, base64, http.client, re, ssl, time, urllib.parse); it supports HTTP and HTTPS, defaults to HTTPS on port 2087, disables TLS certificate validation, and sets a custom User-Agent of CVE-2026-41940-checker/0.1. The payload is hardcoded and aimed specifically at verifying root/WHM access rather than delivering a shell or arbitrary command execution. Overall, the repository's purpose is defensive validation of a network-reachable authentication bypass in WHM. Despite the README describing it as verification-only, the code actively exercises the bypass condition and confirms whether unauthorized root-level panel/API access can be achieved.

This repository is a small standalone Python proof-of-concept for CVE-2026-41940 targeting cPanel/WHM's cpsrvd service. The repo contains 5 files: a README describing the vulnerability and usage, a single main exploit script (poc.py), a requirements file listing requests/urllib3, plus license and gitignore. There is no framework integration; poc.py is the clear entry point. The exploit logic is operational rather than merely demonstrative. It performs a multi-stage authentication bypass workflow: (1) parse the supplied target and optionally discover the canonical hostname by requesting /openid_connect/cpanelid and reading the redirect Location header; (2) send a failed login to /login/?login_only=1 to obtain a pre-auth whostmgrsession cookie; (3) send a crafted request to / with a malicious Basic Authorization header and the session cookie to trigger the CRLF/header-poisoning condition; (4) extract a /cpsess########## token from the redirect response; (5) hit follow-on WHM endpoints such as /scripts2/listaccts, /json-api/listaccts, /json-api/version, and /json-api/loadavg to propagate and verify privileged access. Based on the README and visible code, successful exploitation yields root WHM access. The script then exposes post-auth capabilities through an interactive shell. Commands shown in the README and partially visible in the code include listing cPanel accounts, retrieving version/hostname/load information, checking effective privileges, enumerating MySQL databases, changing the root password, creating cPanel accounts, and invoking arbitrary WHM API functions with JSON parameters. That makes this more than a detector: it is an exploit with meaningful post-exploitation administration capability. Notable implementation details: TLS verification is explicitly disabled; the script uses requests.Session; it sets a Host header based on a discovered canonical hostname; it handles SIGINT/SIGTERM; and it supports optional command-line arguments for target URL, hostname override, password change, and interactive shell behavior. No destructive fake behavior is evident, and the code structure aligns with the claimed vulnerability and exploitation flow.

Repository contains a single substantial Python exploit script and a short README. The main file, POC_CVE-2026-41940.py, is a standalone stdlib-only scanner/exploit for an alleged cPanel & WHM authentication bypass (CVE-2026-41940) based on CRLF injection into session data via a crafted Authorization header. The script’s documented chain is: discover canonical hostname using /openid_connect/cpanelid, request /login/?login_only=1 with bad credentials to obtain a pre-auth session, send a poisoned Authorization: Basic header to / so attacker-controlled fields are written into the session file, trigger /scripts2/listaccts to activate/flush the poisoned state, then verify privileged access through /{token}/json-api/version. The embedded payload sets fields such as user=root, tfa_verified=1, and hasroot=1. Capabilities go beyond detection: after successful bypass, the tool supports post-exploitation actions including listing cPanel accounts, changing the root password, executing arbitrary commands through /json-api/scripts/exec, creating a new WHM account, and reading files (based on CLI options shown). It supports single-target mode, bulk scanning from a file or stdin, multithreading, JSON output, colored logging, and optional rate limiting. The README mirrors these operational use cases, including command execution and an interactive shell mode. Overall, this is an operational exploit tool rather than a simple detector or proof-of-concept, with clear targeting of exposed WHM web interfaces over ports such as 2086/2087.

Repository contains a minimal README and a single Python exploit script, poc.py, which is the clear entry point. The script is an operational exploit for cPanel WHM that performs a multi-stage authentication bypass/session-confusion workflow against the WHM HTTPS service, defaulting to port 2087. The code first sends a failed login request to /login/?login_only=1 to harvest a whostmgrsession cookie, then sends a crafted Authorization header containing a base64-encoded forged internal-auth blob for root. It extracts a leaked /cpsess########## token from the redirect Location header, triggers propagation with /scripts2/listaccts, and verifies privileged access through WHM JSON APIs such as /json-api/version and gethostname. Beyond proving access, the exploit includes post-exploitation features. It can enumerate, create, and revoke WHM API tokens via api_token_list, api_token_create, and api_token_revoke, enabling persistence as root. It also supports direct interactive shell access by connecting to the WHM terminal feature over WebSocket, effectively giving the operator a root terminal in the browser-backed terminal subsystem. Command-line options support single-target exploitation (--target), bulk persistence mode from a target list (--list with --persist), interactive shell mode (--shell), token persistence output (--output), and terminal tuning/debug options (--delay, --debug). Overall purpose: unauthorized root-level access to vulnerable WHM instances, with two main capabilities: immediate interactive root shell via WebSocket terminal and durable persistence via root API token creation. The repository is not a detector; it is a real exploit with post-exploitation functionality.

This repository is a standalone Go-based exploit tool for CVE-2026-41940, described as a cPanel & WHM authentication bypass via CRLF injection in session handling. The repository is small and centered on a single executable source file, main.go, plus documentation, a sample results file, a large target list, and a GitHub Actions workflow that cross-compiles binaries for Windows, Linux, and macOS. The exploit logic in main.go implements a multi-stage network attack chain against WHM over HTTPS, defaulting to port 2087. It first discovers the canonical hostname using /openid_connect/cpanelid, then requests a pre-auth session via POST /login/?login_only=1 with invalid credentials, extracts the whostmgrsession cookie, and performs a CRLF injection by sending a crafted Basic Authorization header containing base64-encoded newline-delimited session fields. The injected fields are intended to mark the session as internally authenticated, verified for TFA, and associated with root privileges. The tool then parses a /cpsess########## token from the redirect Location header and uses WHM API paths to validate successful compromise. The README indicates additional post-exploitation capabilities beyond verification, including listing cPanel accounts, interactive shell access, command execution, and other administrative actions controlled by CLI flags such as -action, -cmd, -passwd, -user, -domain, -ssh, -dump, and -exfil. Because the code excerpt is truncated, not every handler is visible, but the flag surface and documentation strongly indicate the tool is designed for both exploitation and follow-on administrative abuse once root WHM access is obtained. Operationally, the tool supports single-target mode, file-based mass scanning via urls.txt, stdin-fed targets, configurable concurrency, verbose HTTP request/response dumping, timeout control, and JSON result export. It disables TLS certificate verification, avoids redirects, and is built for high-volume scanning. The included urls.txt contains a large list of public IPs and hostnames, which appears intended for bulk targeting. The included results.json demonstrates successful identification of at least one vulnerable host and records the target URL, cpsess token, API verification URL, session identifier, and timestamp. Overall, this is a real exploit implementation rather than a detector or README-only repository. It is best classified as OPERATIONAL: it contains working exploit code and a hardcoded payload for privilege escalation, but it is not embedded in a larger exploitation framework.

This repository is a standalone Python proof-of-concept exploit toolkit for an alleged cPanel/WHM authentication bypass tracked here as CVE-2026-41940. It is not part of a major exploit framework. The repo contains 9 files, with the main logic split across main.py and modules/{cli,constants,exploit,output}. main.py is the entry point and orchestrates either single-target exploitation or concurrent mass scanning using a ThreadPoolExecutor. modules/cli.py handles argument parsing, host:port parsing, and target-file/CIDR expansion. modules/constants.py defines default service ports, cookie names, retry limits, and vulnerability metadata. modules/output.py provides Rich-based terminal UI, progress bars, summaries, and output-file writing. modules/exploit.py contains the core attack logic: HTTP session creation with retries, passive cPanel detection, session cookie parsing, CRLF payload construction, Authorization header generation, and worker logic for exploit/check operations. The exploit’s stated purpose is to abuse session-file manipulation via CRLF injection in cPanel/WHM authentication handling. The visible code shows a crafted Basic Authorization payload that injects session fields such as hasroot=1, tfa_verified=1, user=<target_user>, cp_security_token=/cpsess9999999999, and successful_internal_auth_with_timestamp=<timestamp>. The README describes a 4-step chain: create a session via POST /login/?login_only=1, trigger CRLF injection with a GET / request carrying the malicious Authorization header, then access privileged resources under /cpsess<TOKEN>/ and confirm success via /json-api/version. The truncated exploit.py content prevents full confirmation of every request implementation, but the available code and README consistently indicate an operational exploit rather than a detector-only script. Capabilities include passive fingerprinting of cPanel/WHM/webmail instances, optional version extraction from returned HTML, single-host exploitation, mass exploitation, configurable concurrency up to 50 workers, retry-enabled HTTP sessions, SSL/no-SSL modes, optional SSL verification disablement, quiet/no-banner modes for automation, and writing vulnerable hosts to an output file. Fingerprintable targets and observables include the cPanel management ports 2087/2086/2083/2082/2096/2095, cookie names whostmgrsession and cpsession, the hardcoded token path /cpsess9999999999, and the documented endpoints /login/?login_only=1, /, /cpsess<TOKEN>/, and /json-api/version. Overall, this is a modular offensive PoC aimed at authenticated-session bypass and privilege escalation against vulnerable cPanel-family services.

This repository is a small standalone Python exploit project with 2 files: a README describing usage and an executable script, exploit.py, which contains the full exploit logic. It is not part of a known exploitation framework. The exploit targets CVE-2026-41940, described here as an authentication bypass in cPanel/WHM. The script’s stated workflow is: send an initial failed login or pre-auth request to obtain session-related state, abuse CRLF/header injection to forge or poison authorization/session handling, access privileged WHM resources, verify success via WHM API endpoints, and optionally change the root password. The code also includes multithreaded scanning, randomized browser-like headers/user agents, disabled TLS verification warnings, JSON result output, and optional Telegram notifications. Repository structure: - README.md: documents installation, CLI arguments, examples, expected output, and the exploit chain. - exploit.py: main Python entry point with argparse-based CLI, target parsing/loading, thread pool execution, result aggregation, and exploitation logic. Main capabilities observed: - Accepts either a single target or a file of targets. - Normalizes targets and assumes WHM HTTPS port 2087 when omitted. - Supports check-only mode to validate likely vulnerability without changing credentials. - In exploit mode, attempts to change the WHM root password using the WHM passwd API. - Uses randomized User-Agent and browser-like headers to reduce obvious automation fingerprints. - Runs against multiple hosts concurrently using ThreadPoolExecutor. - Saves structured JSON results to a user-specified output file. - Sends Telegram alerts on successful exploitation if bot token/chat ID are configured. Notable target-facing endpoints are WHM administrative/API paths such as /scripts2/listaccts, /json-api/version, and /json-api/passwd, all consistent with post-auth administrative functionality. The Telegram Bot API is the only external third-party service referenced by the code. Overall, this is an operational exploit rather than a mere detector: it contains logic for both vulnerability validation and post-bypass impact (root password change).

This repository is a small standalone Python exploit for CVE-2026-41940 targeting cPanel/WHM authentication bypass on the WHM service, typically exposed on port 2087. The repository contains only two files: a minimal README with usage examples and a single executable script, exploit.py, which is the main entry point. The exploit is clearly operational rather than a simple detector. It performs a multi-stage network attack against a remote WHM instance: (1) it parses a target URL and optionally processes a file of targets; (2) it discovers the canonical hostname by requesting /openid_connect/cpanelid and reading the redirect Location header; (3) it sends a POST to /login/?login_only=1 with invalid credentials to obtain a whostmgrsession cookie; (4) it reuses the cookie while sending a crafted Basic Authorization header containing CRLF-injected internal authentication fields that assert root identity, TFA verification, and root privileges; (5) it extracts a leaked /cpsess########## token from a redirect Location header; (6) it calls /scripts2/listaccts to trigger propagation of the manipulated session state; (7) it verifies privileged access via {token}/json-api/version; and finally (8) it invokes the WHM passwd API to change the root password. The script’s main capability is full authentication bypass leading to privileged WHM API access as root. Its post-exploitation action is hardcoded: it changes the root password to 'root' and prints that the operator can log in with root:root. This makes the exploit destructive/impactful, not merely demonstrative. The code uses Python requests with TLS verification disabled, custom Host header spoofing, manual cookie extraction from raw headers, and regex parsing of redirect tokens. It supports both single-target execution and batch processing from a file. No external C2, callback infrastructure, or framework integration is present.

This repository is a small standalone Python exploit PoC for CVE-2026-41940, containing one executable script (CVE-2026-41940.py) and a README. It is not tied to a major exploit framework. The Python script is the clear entry point and implements a network/web attack against exposed cPanel/WHM management interfaces, primarily expected on HTTPS port 2087. Exploit flow: the script normalizes the supplied target URL, creates a requests session, and first POSTs to /login/?login_only=1 with bogus root credentials to obtain a whostmgrsession cookie. If the cookie is present, it then sends a crafted Authorization header labeled as Basic auth but containing base64-encoded CRLF-separated values intended to set authentication-related flags such as hasroot=1, tfa_verified=1, cp_security_token=1, and successful_internal_auth_with_timestamp=1. It performs a GET / with that header and cookie, then verifies success by requesting /json-api/version. A 200 response containing "version" is treated as successful root WHM authentication bypass. Main capability: unauthenticated remote administrative access to WHM/root context. The script itself does not include a reverse shell, command execution primitive, or persistence payload, but the README explicitly frames successful exploitation as enabling follow-on actions such as planting an SSH key or creating a backdoor. Because it contains a working exploitation sequence and hardcoded auth-bypass header rather than a customizable payload framework, the maturity is best classified as OPERATIONAL. Repository structure is minimal: one Python exploit file plus documentation. The README provides vulnerability context, affected products, example output, mitigation guidance, and references. Overall purpose is to demonstrate and automate exploitation of a pre-authentication bypass in cPanel/WHM by abusing session handling and malformed Basic Authorization header processing.

This repository is a small standalone exploit repo with two files: a README describing the vulnerability and exploitation logic, and a single Python exploit script, cve_2026_41940.py, which is the operational entry point. It is not part of a larger exploit framework. The exploit targets CVE-2026-41940 in cPanel/WHM. The README explains a session-handling flaw in Cpanel/Session.pm: newline injection into the pass field combined with a conditional encoding bypass when the session cookie lacks its 'ob' component. The intended attack flow is: create a pre-auth session via /login/?login_only=1, strip the cookie suffix, inject newline-delimited session keys such as tfa_verified=1, hasroot=1, and successful_internal_auth_with_timestamp, then trigger a session-modification path so the raw session file is re-read and promoted into the JSON cache. Once the forged session is active, the attacker can access protected WHM/cPanel endpoints. The Python script implements this as an HTTPS network/web exploit. It initializes a requests session with retries, disabled TLS verification, optional proxy support, and browser-like headers. It chooses the target cookie name based on port: whostmgrsession for WHM ports 2086/2087 and cpanelsession for cPanel ports 2082/2083. It performs behavioral fingerprinting by requesting /login/ and probing /login/?login_only=1 with multiline input to distinguish cPanel behavior and infer patching or rejection behavior. It then attempts to acquire a session and inject forged state. Although the provided content is truncated in the middle of acquire_and_inject and capability discovery, the visible code and README clearly show the exploit’s purpose and post-exploitation flow. A notable capability is post-auth command execution. The shell() method provides an interactive operator loop and uses one of two authenticated endpoints depending on discovered capability: GET <security_token>/json-api/execute_shell_command with a command parameter, or POST <security_token>/scripts2/do_terminal_command with command data. This indicates the exploit is more than a detector or login bypass PoC; it aims to convert the session forgery into practical remote command execution through legitimate WHM/cPanel administrative functionality. Overall, this is an operational standalone Python exploit for unauthenticated authentication bypass against cPanel/WHM, with session forgery, privilege escalation within the application context, capability discovery, and interactive command execution against the compromised target.