Security Advisory

CVE-2026-27602

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-25 18:49:25

Last updated 2026-03-26 15:38:37

Assigner GitHub_M

State PUBLISHED

Description

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

← Browse all CVEs View on cve.org ↗