CVE-2026-27602

Published: Mar 25, 2026Modified: Mar 26, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

Affected (1)

Products: Modoboa: Modoboa

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Modoboa Modoboa	Before 2.7.1

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa

Source: security-advisories@github.com

Patch

https://github.com/modoboa/modoboa/releases/tag/2.7.1

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.