A high-performance, multi-threaded security auditing tool designed to detect CVE-2026-41940, a critical Authentication Bypass vulnerability in cPanel & WHM (discovered in April 2026).

This tool leverages a CRLF Injection technique in HTTP headers to identify if a cPanel service daemon (cpsrvd) is susceptible to unauthorized root access.

• Dynamic Port Discovery: Automatically probes standard cPanel/WHM ports (2082, 2083, 2086, 2087) if no port is specified.

• Smart Detection: Prioritizes user-defined ports (e.g., 1.2.3.4:2083) but falls back to multi-port scanning for bare IPs/domains.

• High Concurrency: Built with ThreadPoolExecutor for rapid scanning of large IP lists.

• Beautiful Terminal UI: Uses the Rich library for progress bars, status panels, and a comprehensive scan summary dashboard.

• Dual Output: Generates both a detailed text report (.txt) and a structured data file (.json) for further analysis.

1. Clone the repository:

   git clone https://github.com/xsanflip/poc-cpanel-cve-2026-41940.git
   cd cpanel-cve-2026-41940-auditor
   
   

2. Install dependencies:

   pip install requests rich
   
   

Prepare a targets.txt file containing the IP addresses or domains you wish to audit (one per line).

Simple Scan:

python cpanel-scan-cve.py

• Terminal: Real-time status updates with a final summary table.

• audit_results_detailed.txt: A human-readable report including server headers and detected versions.

• audit_results.json: Machine-readable data for integration with other security tools.

This tool is provided for educational purposes and authorized security auditing only. Running this tool against targets without explicit permission is illegal and unethical. The developer (xsanflip) is not responsible for any misuse or damage caused by this program.

Author: xsanlahci

Research Reference: Based on findings published by watchTowr Labs (April 2026).