CVE-2026-27602
CVE-2026-27602
7.2
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- High
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.
References
security-advisories@github.com
https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfasecurity-advisories@github.com
https://github.com/modoboa/modoboa/releases/tag/2.7.1security-advisories@github.com
https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m