CVE-2026-27602
Received Received - Intake
Command Injection in Modoboa exec_cmd() via Unsanitized Domain Names

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27602
EUVD
EUVD-2026-15951
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
modoboa modoboa to 2.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Modoboa, a mail hosting and management platform, in versions prior to 2.7.1. The function exec_cmd() in the file modoboa/lib/sysutils.py runs subprocess calls with shell=True, which means shell commands are executed directly. Domain names are inserted into these shell command strings without any sanitization. As a result, a Reseller or SuperAdmin can include shell metacharacters in a domain name, allowing them to execute arbitrary operating system commands on the server.

Impact Analysis

This vulnerability can have severe impacts because it allows privileged users (Reseller or SuperAdmin) to execute arbitrary OS commands on the server. This can lead to full compromise of the server, including unauthorized data access, data modification, service disruption, or further attacks on the infrastructure.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Modoboa to version 2.7.1 or later, where the issue has been patched.

Detection Guidance

This vulnerability involves OS command injection through unsanitized domain names or email addresses passed to shell commands in Modoboa versions prior to 2.7.1. Detection involves identifying if your Modoboa installation is running a vulnerable version and if suspicious domain names or mailbox addresses containing shell metacharacters have been created.

To detect exploitation attempts or presence of injected commands, you can check for unusual files or outputs created by injected commands, such as files in /tmp created by payloads like $(id>/tmp/proof).

Suggested commands to detect potential exploitation or suspicious activity include:

  • Check for suspicious domain names or mailbox addresses containing shell metacharacters (e.g., $, `, ;, |) in the Modoboa database.
  • Search for unexpected files created by injected commands, for example: `ls -l /tmp/proof` or other unusual files in /tmp or other writable directories.
  • Review Modoboa logs for commands executed or errors related to subprocess calls.
  • If you have access to the server, you can run commands like `ps aux | grep modoboa` to check running processes for suspicious command lines.

There are no specific detection commands provided in the resources, but monitoring for shell metacharacters in domain names and checking for unexpected files or command executions are practical approaches.

Compliance Impact

The provided context and resources do not include any information regarding the impact of CVE-2026-27602 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart