LiteSpeed cPanel Plugin Symlink Privilege Escalation

Repository contains a single substantive exploit script ('PoC Funcional') plus supporting documentation files in Spanish: README, mitigation guidance, IOC notes, expected output, and operator notes. The Python PoC targets CVE-2026-54420, described as a symlink-following privilege escalation/arbitrary file read issue affecting LiteSpeed cPanel Plugin and WHM Plugin in shared hosting environments. The exploit workflow is: connect to the target over FTP, authenticate, infer a likely web root, attempt multiple FTP command variants to create a symlink pointing at a sensitive file, then retrieve the symlinked file over HTTP to confirm out-of-directory read access. The script also advertises additional capabilities including enumeration of sensitive files, optional web shell upload, verbose mode, alternate FTP port support, and cleanup of created artifacts. Fingerprintable behaviors include FTP control commands such as SITE SYMLINK, RNFR/RNTO, and possible placement of readable .txt artifacts under public_html. Overall, this is an operational PoC exploit rather than a mere detector: it contains exploitation logic, target interaction over FTP and HTTP, and post-exploitation-oriented options.

This repository is a standalone Python exploit/scanner project centered on cve-2026-54420.py, with supporting README, dependency list, and sample targets file. The script presents itself as a PoC/scanner for CVE-2026-54420 affecting a LiteSpeed cPanel plugin, but the code explicitly describes the bug as a hypothetical unauthenticated remote code execution via server-side template injection against a web endpoint named /api/render. The main capability is web-based SSTI detection and exploitation. The script contains payload sets for multiple template engines: Jinja2, Freemarker, Velocity, Smarty, and Twig. These payloads include arithmetic probes for detection, file-read payloads targeting /etc/passwd, command-execution payloads such as id and whoami, a base64-decoded shell command, directory enumeration, file-write behavior to /tmp/pwned.txt, and a hardcoded bash reverse shell to 10.0.0.1:4444. It also defines command groups for post-exploitation enumeration, including OS identification, directory listing, network inspection, and process listing. Operationally, the script supports single-target and bulk-target scanning, multithreading, timeout/delay controls, verbose output, optional enumeration, command execution on vulnerable hosts, and saving results. The visible code shows a TargetManager class for loading and deduplicating targets and a main routine that iterates over vulnerable hosts, optionally executes commands, performs enumeration, and writes a vulnerable_hosts.txt summary. Repository structure is simple: one primary Python code file, requirements.txt for dependencies, targets.txt with sample URLs/IPs, and documentation. Dependencies are typical for a Python HTTP scanner: requests is core, while colorama and tqdm are optional usability enhancements; BeautifulSoup/lxml and YAML support are listed but not clearly necessary from the visible excerpt. Overall, this is an actual exploit-oriented scanner rather than a pure detector. It is not part of a known exploit framework. Based on the included command-execution and reverse-shell payloads, it should be treated as an operational PoC with hardcoded payloads rather than a fully weaponized framework module.