CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Modoboa: >> Modoboa >> 2.4.11 Security Vulnerabilities

CVE-2026-27602

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

CVSS Score

7.2

EPSS Score

0.001

Published

2026-03-25

Page 1

Vulnerabilities

Vulnerable Software

Modoboa: >> Modoboa >> 2.4.11 Security Vulnerabilities

Products

Pricing

Contact Us