{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27602", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.602Z", "datePublished": "2026-03-25T18:49:25.825Z", "dateUpdated": "2026-03-25T18:49:25.825Z"}, "containers": {"cna": {"title": "Modoboa has an OS Command Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m"}, {"name": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa", "tags": ["x_refsource_MISC"], "url": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa"}, {"name": "https://github.com/modoboa/modoboa/releases/tag/2.7.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/modoboa/modoboa/releases/tag/2.7.1"}], "affected": [{"vendor": "modoboa", "product": "modoboa", "versions": [{"version": "< 2.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T18:49:25.825Z"}, "descriptions": [{"lang": "en", "value": "Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue."}], "source": {"advisory": "GHSA-wwv8-cqpr-vx3m", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue."}], "id": "CVE-2026-27602", "lastModified": "2026-03-25T19:16:48.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T19:16:48.430", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa"}, {"source": "security-advisories@github.com", "url": "https://github.com/modoboa/modoboa/releases/tag/2.7.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:20:55.407833+00:00", "value": {"mitigation_remediation": ["Apply the official Modoboa 2.7.1 patch or newer version immediately.", "Verify that the exec_cmd implementation no longer uses shell=True and that domain names are properly validated.", "If an update cannot be applied right away, restrict domain creation to trusted administrators and sanitize domain names to remove shell metacharacters as a temporary measure.", "Review domain creation logs for suspicious entries and monitor the system for abnormal command execution activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Modoboa mail hosting platform, vendor Modoboa, product Modoboa. All releases prior to version 2.7.1 contain the flaw because exec_cmd() always uses shell=True when processing domain names. Versions 2.7.1 and later have applied the patch.", "description_and_impact": "The vulnerability allows an attacker that controls a domain name to inject shell metacharacters into a command string that is executed with elevated privileges. This classic OS Command Injection flaw enables execution of arbitrary commands on the mail server, leading to loss of confidentiality, integrity, and availability. The weakness is identified as CWE\u201178. The impact is system\u2011wide and can potentially compromise the entire host environment.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity, but the EPSS score is not available and the flaw is not listed in CISA's KEV catalog. The attack vector is inferred to be via a reseller or SuperAdmin creating a domain. Once the domain name is stored, the application passes it directly to a shell, allowing an attacker to execute any command. The vulnerability requires that the user have rights to create or modify domains, so a privileged user or compromised account is a prerequisite. The risk stays high due to the broad impact and the ease of exploitation once the conditions are met."}}}}, "created": "2026-03-25T21:46:26.045395+00:00", "updated": "2026-03-25T21:46:26.045490+00:00", "vendors": []}