Home > Vulnerability Database > CVE-2025-43920

Mend.io Vulnerability Database

CVE-2025-43920

Date: April 19, 2025

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.

Severity Score

5.4

Related Resources (6)

Url: https://code.launchpad.net/~mailman-coders/mailman/2.1

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-43920

Url: https://www.openwall.com/lists/oss-security/2025/04/21/6

Url: https://github.com/cpanel/mailman2-python3

Url: https://github.com/0NYX-MY7H/CVE-2025-43920

Url: https://www.mend.io/vulnerability-database/CVE-2025-43920

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-43920

Date: April 19, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?