CVE-2026-27602 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-27602

CVE-2026-27602

March 25, 2026

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, "exec_cmd()" in "modoboa/lib/sysutils.py" always runs subprocess calls with "shell=True". Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

Affected Packages

https://github.com/modoboa/modoboa.git (GITHUB):

Affected version(s) >=0.1 <2.7.1

Fix Suggestion:

Update to version 2.7.1

https://github.com/modoboa/modoboa.git (GITHUB):

Affected version(s) >=0.1 <2.7.1

Fix Suggestion:

Update to version 2.7.1

https://github.com/modoboa/modoboa.git (GITHUB):

Affected version(s) >=0.1 <2.7.1

Fix Suggestion:

Update to version 2.7.1

modoboa (PYTHON):

Affected version(s) >=0.7.0 <2.7.1

Fix Suggestion:

Update to version 2.7.1

modoboa (PYTHON):

Affected version(s) >=0.7.0 <2.7.1

Fix Suggestion:

Update to version 2.7.1

modoboa (PYTHON):

Affected version(s) >=0.7.0 <2.7.1

Fix Suggestion:

Update to version 2.7.1

modoboa (PYTHON):

Affected version(s) >=0.7.0 <2.7.1

Fix Suggestion:

Update to version 2.7.1

Related Resources (5)

https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa

https://github.com/modoboa/modoboa

https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m

https://nvd.nist.gov/vuln/detail/CVE-2026-27602

https://github.com/modoboa/modoboa/releases/tag/2.7.1

Do you need more information?

CVSS v4

Base Score:

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

HIGH

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

EPSS

Base Score:

0.05

Products

Solutions

Resources

Company

Compare

Developer Tools