HIGH🇵🇱 Wersja polska

CVE-2026-27602

CVSS 7.2v3.1pub. 2026-03-25upd. 2026-03-26

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Modoboa

    APP
    Modoboa
    < 2.7.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2023-2227CRITICAL9.1ten sam produkt

Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.

CVE-2023-0777CRITICAL9.8ten sam produkt

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

CVE-2023-5690HIGH8.8ten sam produkt

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

CVE-2023-5689MEDIUM5.4ten sam produkt

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

CVE-2023-5688MEDIUM5.4ten sam produkt

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.