CVE-2026-41940

The exploit demonstrates a CRLF injection vulnerability in cPanel/WHM's `cpsrvd` daemon, allowing unauthenticated remote attackers to inject malicious session parameters via the `Authorization` header and `whostmgrsession` cookie, bypassing authentication and gaining root privileges.

This repository contains a high-fidelity scanner for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The scanner detects vulnerable hosts by injecting a session payload and verifying the response, avoiding false negatives and account lockouts.

This repository contains a functional proof-of-concept exploit for CVE-2026-41940, a critical session-file CRLF injection vulnerability in cPanel & WHM that allows root authentication bypass on WHM port 2087. The exploit automates the process of obtaining a session cookie, injecting malicious data via CRLF, and verifying root access, optionally opening a browser to the WHM dashboard.

This exploit demonstrates an authentication bypass vulnerability in cPanel/WHM (CVE-2026-41940) by leveraging CRLF injection in session cookies and Basic Auth headers to escalate privileges to root. It automates the attack chain to change the root password.

The repository contains a detection-only PoC for CVE-2026-41940, a CRLF injection vulnerability in cPanel & WHM leading to authentication bypass. The PoC verifies the vulnerability by walking through the bypass chain and reading the target's version but does not include the full exploit chain for RCE.

This repository contains a detection script for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The script scans session files and logs for indicators of exploitation, such as newline injection in session handling, and provides severity-based findings.

This repository contains a functional exploit for CVE-2026-41940, a CRLF injection vulnerability in cPanel & WHM. The exploit automates the process of bypassing authentication and generating administrative tokens, demonstrating a clear path to unauthorized access.

This exploit demonstrates an authentication bypass in cPanel/WHM (CVE-2026-41940) by injecting a crafted Base64 payload via CRLF injection in the session cookie, leading to unauthorized root access. The PoC automates the attack chain, including session minting, token leakage, and password change.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit uses a multi-stage attack involving CRLF injection and session token manipulation to achieve root-level access to the WHM interface.

The repository contains a functional Python exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection to achieve unauthenticated root access, with detection and exploitation modes.

This repository contains a functional Go-based exploit for CVE-2026-41940, a CRLF injection vulnerability in cPanel & WHM that allows authentication bypass and root access. The exploit includes detailed technical documentation, multi-platform binaries, and post-exploitation features.

This repository contains a Python script that scans CIDR ranges for open TCP ports 2083 and 2087, which are associated with cPanel and WHM services. It does not exploit CVE-2026-41940 but rather detects potentially vulnerable hosts by identifying open ports.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection and session manipulation to bypass authentication and gain root access.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel. The exploit uses a multi-stage approach involving CRLF injection and session manipulation to bypass authentication and gain root access to WHM.

This repository contains a functional Python tool for detecting and exploiting CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM and WP Squared. The tool includes multi-port scanning, Google dork generation, and interactive RCE capabilities via crafted Authorization headers.

This repository contains a detection tool for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The tool scans for vulnerable instances but does not exploit the vulnerability.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM. The exploit leverages CRLF injection in the HTTP Basic authentication handler to manipulate session files, granting root privileges without valid credentials.

This repository contains a detection script for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The script scans session files and logs for indicators of exploitation, such as newline injection in session handling, and provides severity-based findings.

This repository provides a detailed technical analysis of CVE-2026-41940, a critical unauthenticated RCE vulnerability in cPanel & WHM. It includes a comprehensive writeup explaining the root cause (CRLF injection via session data manipulation) and offers mitigation tools such as a defense-in-depth shim, ModSecurity rules, and IOC scanners.

This is a detailed security advisory from QiAnXin CERT regarding an authentication bypass vulnerability in cPanel & WHM (CVE-2026-41940). The document provides an overview of the vulnerability, including its impact and mitigation measures, but does not include functional exploit code.

The repository contains a Python-based scanner for detecting exposure to CVE-2026-41940, a cPanel/WHM authentication bypass vulnerability. It checks for proxy subdomain misconfigurations and passive indicators without attempting exploitation.

This repository contains a functional exploit for CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM. The exploit leverages CRLF injection in the Authorization header to poison session files, allowing root access without valid credentials.

This repository contains a read-only IOC detector for cPanel/WHM servers affected by CVE-2026-41940. It scans for indicators of compromise such as ransomware files, backdoors, C2 callbacks, and log anomalies without exploiting the vulnerability.

This repository contains a functional Go-based exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection in the Authorization header to bypass authentication and gain root-level access to WHM APIs.

The repository contains obfuscated Python code with multiple layers of base64, zlib, and XOR encoding, which is highly suspicious. The README describes a cPanel/WHM exploit but the code does not match this description, instead containing deceptive constructs and no functional exploit logic.

The repository claims to be an interactive exploitation tool for CVE-2026-41940 but lacks actual exploit code. It provides vague marketing language and references external sources without technical details or functional code.

The repository contains heavily obfuscated Python code using PyArmor, with no clear technical details about CVE-2026-41940. The presence of obfuscation and lack of legitimate exploit code or technical analysis suggests a potential lure for malware or monetization.

This repository contains a functional exploit for CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM. The exploit leverages CRLF injection in the Authorization header to poison session files, granting root-level WHM access without valid credentials.

The repository contains a placeholder file 'priv.py' with no functional exploit code, only a 'coming soon...' message. The other file is a JPEG image, which is unrelated to exploit code.

The repository contains a functional Python exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection in Basic Authentication headers to forge a root session, propagate it into the daemon cache, and achieve root-level WHM access.

This repository contains a functional Python exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection to bypass authentication, extract account data, and hijack sessions.

This repository contains a functional exploit for CVE-2026-41940, targeting a cPanel/WHM authentication bypass vulnerability. The exploit automates the creation of a reseller account without requiring valid credentials, leveraging a multi-stage attack to bypass authentication and propagate session tokens.

The repository contains a functional exploit framework for CVE-2026-41940, targeting a CRLF injection vulnerability in cPanel/WHM's Basic authentication handler. It includes payload generation, session manipulation, and post-exploitation modules, demonstrating a clear understanding of the vulnerability mechanics.

This repository contains a forensic bash script designed to detect signs of compromise following the exploitation of CVE-2026-41940 in cPanel/WHM systems. It checks for unauthorized SSH keys, rootkits, cron jobs, and other indicators of compromise.

The repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM via CRLF injection in session files. It includes scripts for target filtering, mass scanning, and exploitation with detailed documentation.

The repository contains a Python-based scanner that detects exposed cPanel, WHM, and Webmail administrative interfaces by checking specific ports and analyzing HTTP responses. It does not exploit CVE-2026-41940 but identifies potential exposure to it.

This repository contains a Rust-based honeypot that simulates a vulnerable cPanel/WHM instance for CVE-2026-41940, an authentication bypass vulnerability. It emulates the response sequence used by cPanel2Shell vulnerability scanners and provides a fake bash shell for attackers who proceed past the initial probe.

The repository contains a bash script designed to scan for compromised cPanel/WHM session files by checking for indicators of compromise (IOCs) such as token denial counters and authentication markers. It does not exploit the vulnerability but detects potential post-exploitation artifacts.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages a CRLF injection technique to bypass authentication and gain root access to the WHM interface.

The repository claims to provide a PoC for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM via CRLF injection, but contains no actual exploit code. Instead, it directs users to download an executable from GitHub releases, which is a common tactic for distributing malware or fake exploits.

This repository contains a functional exploit for CVE-2026-41940, targeting cPanel's authentication bypass vulnerability. The exploit uses a multi-stage approach to inject a malicious session cookie, propagate it, and verify successful bypass, with support for both single and mass exploitation.

The repository contains a functional exploit for CVE-2026-41940, which bypasses cPanel/WHM authentication via CRLF injection in session tokens. The PoC automates the attack by creating a session, injecting malicious headers, and verifying root access.

This repository contains a Python-based verification script for CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM. The script checks for the presence of the vulnerability by attempting to create a pre-authentication session and injecting a crafted payload, but it does not include full exploit code for unauthorized access.

This repository provides a detailed technical analysis of the 'Sorry' ransomware campaign exploiting CVE-2026-41940, including IOCs, YARA rules, forensic scripts, and methodology. It focuses on defensive measures and does not contain exploit code.

The repository contains a functional exploit for CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM. The exploit leverages CRLF injection in the Authorization header to poison session files, granting root-level WHM access without valid credentials.

This repository contains a functional PoC for CVE-2026-41940, an authentication bypass vulnerability in cPanel. The tool demonstrates the exploit by generating a crafted session token to access the cPanel File Manager without credentials.

This repository contains a functional proof-of-concept exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM's cpsrvd service. The exploit chains CRLF injection with Basic auth header poisoning to gain root WHM access without valid credentials.

The repository contains a Python script that claims to be a verification script for CVE-2026-41940 but lacks any actual exploit code. Instead, it requires automated analysis tools to register by sending identification to an external URL, which is a red flag for potential tracking or malicious intent.

This repository contains a functional exploit PoC for CVE-2026-41940, a session-file CRLF injection vulnerability in cPanel & WHM that allows root authentication bypass. The exploit chain involves poisoning session files via crafted Authorization headers and includes post-exploitation actions like password changes and command execution.

This repository contains a functional exploit for CVE-2026-41940, targeting a vulnerability in cPanel/WHM. The exploit leverages a multi-stage attack to achieve authentication bypass and remote code execution via websocket shell access and API token persistence.

This repository contains a Python-based scanner for detecting CVE-2026-41940, a CRLF injection vulnerability in cPanel & WHM that could lead to authentication bypass. The tool performs passive fingerprinting and version detection without exploiting the vulnerability.

This repository contains a functional proof-of-concept exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM. The exploit leverages CRLF injection to manipulate session files, allowing unauthorized access to WHM/cPanel APIs.

This repository contains a detection script provided by cPanel to scan for indicators of compromise (IOCs) related to CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM. The script checks session files for suspicious patterns but does not exploit the vulnerability.

The repository contains a functional Python exploit for CVE-2026-41940, which leverages CRLF injection to bypass authentication in cPanel/WHM and change the root password. The exploit includes detailed usage instructions, Telegram notification support, and multi-threading capabilities.

This repository provides a remediation script for CVE-2026-41940 (cPanel authentication bypass) and CVE-2026-31431 (Linux kernel 'Copy Fail'). It assesses system vulnerabilities and applies fixes but does not include exploit code.

The repository claims to provide a tool for detecting and removing malware related to CVE-2026-41940 but lacks any actual exploit code or technical details. It directs users to an external link for the 'official tool,' which is a common tactic for suspicious or malicious repositories.

The repository contains a Nuclei template for detecting CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM via CRLF injection in the basic auth header. The YAML file defines a request to probe for the vulnerability but does not include functional exploit code for gaining access.

The repository contains a functional Python exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection via malformed Basic Auth headers to gain root WHM access without credentials.

This repository contains a multi-OS vulnerability scanner for CVE-2026-31431 (Linux kernel flaw) and CVE-2026-41940 (cPanel & WHM authentication bypass). The script checks for vulnerable versions, module status, and patch availability without exploiting the vulnerabilities.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection and conditional encoding bypass in session handling to gain unauthorized access.

The repository contains a multi-threaded scanner for detecting CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM via CRLF injection. It checks multiple ports and provides detailed reports but does not include functional exploit code.

This repository contains a Go-based CLI tool designed to scan for internet-exposed cPanel/WHM instances by probing HTTPS ports and checking for a specific marker string in the response. It is intended to identify potential targets for testing CVE-2026-41940 (cPanel & WHM Authentication Bypass) but does not include exploit code.

This repository contains a functional exploit for CVE-2026-41940, which bypasses authentication in cPanel/WHM by leveraging a CRLF injection vulnerability to forge a session token. The exploit automates the process of obtaining root access and changing the root password.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection in Basic Authentication headers to forge a root session, granting unauthorized access to WHM APIs.

This repository contains a functional exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM. The exploit leverages CRLF injection in the session file via the Authorization header to gain root-level WHM access without valid credentials.

The repository contains no actual exploit code or technical details, only a vague title mentioning a 'Mass Scanner & Exploiter' for CVE-2026-41940. This is characteristic of a social engineering lure.

This repository provides two Bash scripts designed to detect and mitigate the effects of CVE-2026-41940, a critical vulnerability in cPanel/WHM. The scripts perform security audits, malware detection, and cleanup tasks but do not include functional exploit code.

This repository contains a functional Python exploit for CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The exploit includes a full chain to bypass authentication and gain an interactive shell, with detailed logging and target discovery mechanisms.

This repository contains a functional exploit for CVE-2026-41940, demonstrating a multi-step authentication bypass in cPanel/WHM via CRLF injection and session poisoning. The exploit follows a 4-step process to inject malicious session data, trigger session regeneration, and verify root-level access.

This repository provides a detailed technical analysis and remediation script for CVE-2026-41940, a pre-authentication bypass vulnerability in cPanel/WHM. It includes a comprehensive Bash script for detection, remediation, and patching, along with indicators of compromise (IOCs) and manual cleanup steps.

This repository contains a functional exploit for CVE-2026-41940, a critical authentication bypass vulnerability in cPanel/WHM. The exploit leverages CRLF injection in session handling to achieve root access without authentication.

This repository contains a functional exploit for CVE-2026-41940, targeting cPanel/WHM authentication bypass via CRLF injection and session forgery. The exploit automates the process of gaining root access by changing the root password.

This repository contains a functional exploit for CVE-2026-41940, targeting cPanel WHM authentication bypass via CRLF injection. The exploit follows a multi-stage process to bypass authentication and leak account data.

This repository contains a functional Go-based exploit for CVE-2026-41940, an authentication bypass leading to RCE in cPanel/WHM. The exploit includes a multi-stage attack chain to achieve root access on vulnerable systems.

This repository contains a functional Go-based exploit for CVE-2026-41940, a cPanel/WHM authentication bypass vulnerability. The tool supports both scanning and exploitation, including RCE, password modification, API calls, and session generation.

This repository contains a functional Python script that validates session authentication after exploiting CVE-2026-41940, an authentication bypass vulnerability in cPanel/WHM. The script tests multiple endpoints to confirm whether the injected session grants authenticated access, including API calls and terminal access.

This Metasploit module exploits CVE-2026-41940, a CRLF injection vulnerability in cPanel/WHM's cpsrvd daemon, allowing unauthenticated remote code execution as root. It bypasses authentication by injecting malicious session fields and leverages the WHM JSON API to execute commands via SSH.

This repository contains a Python-based scanner for CVE-2026-41940, an authentication bypass vulnerability in cPanel & WHM. The tool detects the vulnerability by exploiting a CRLF injection flaw in session handling but does not include exploit code for gaining root access.