Description

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

INFO

Published Date :

2026-03-25T18:49:25.825Z

Last Modified :

2026-03-26T15:38:37.459Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27602 vulnerability.

Vendors Products
Modoboa
  • Modoboa
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27602.

URL Resource
https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa cve-icon cve-icon
https://github.com/modoboa/modoboa/releases/tag/2.7.1 cve-icon cve-icon
https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact