7.2

CVE-2026-27602

Exploit

Modoboa has an OS Command Injection

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ModoboaModoboa Version < 2.7.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.57% 0.424
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m
Vendor Advisory
Exploit
https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa
Patch
https://github.com/modoboa/modoboa/releases/tag/2.7.1
Product
Release Notes