Hub WAF rule

More info

vpatch-CVE-2026-41940 WAF Rule

« cPanel WHM - Authentication Bypass »
v0.1 by crowdsecurity
WAF rule

Detects cPanel & WHM authentication bypass (CVE-2026-41940) by identifying a whostmgrsession cookie with a stripped ob segment (no comma separator)

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2026-41940

YAML Configuration

1name: crowdsecurity/vpatch-CVE-2026-41940
2description: 'Detects cPanel & WHM authentication bypass (CVE-2026-41940) by identifying a whostmgrsession cookie with a stripped ob segment (no comma separator)'
3rules:
4  - and:
5      - zones:
6          - COOKIES
7        variables:
8          - whostmgrsession
9        transform:
10          - lowercase
11          - urldecode
12          - trim
13        match:
14          type: regex
15          value: '^:[a-z0-9_]+,?$'
16
17labels:
18  type: exploit
19  service: http
20  confidence: 3
21  spoofable: 0
22  behavior: 'http:exploit'
23  label: 'cPanel WHM - Authentication Bypass'
24  classification:
25    - cve.CVE-2026-41940
26    - attack.T1190
27    - cwe.CWE-306
28

Hub WAF rule

« cPanel WHM - Authentication Bypass »v0.1 by crowdsecurityWAF rule

« cPanel WHM - Authentication Bypass »
v0.1 by crowdsecurity
WAF rule