CVE-2026-27602

Source
https://cve.org/CVERecord?id=CVE-2026-27602
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27602.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27602
Aliases
Published
2026-03-25T18:49:25.825Z
Modified
2026-04-10T05:37:17.286183Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Modoboa has an OS Command Injection
Details

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

Database specific
{
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27602.json"
}
References

Affected packages

Git / github.com/modoboa/modoboa

Affected ranges

Type
GIT
Repo
https://github.com/modoboa/modoboa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.1"
        }
    ]
}

Affected versions

0.*
0.1
0.2
0.3
0.5
0.6
0.6.1
0.7
0.7.1
0.7.2
0.8
0.8-rc1
0.8-rc2
0.8.1
0.8.2
0.8.3
0.8.3-rc1
0.8.4
0.8.5
0.8.6
0.8.6.1
0.8.7
0.9
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
1.*
1.0.0
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.11.0
1.12.0
1.12.1
1.12.2
1.13.0
1.13.1
1.14.0
1.15.0
1.16.0
1.16.1
1.17.0
1.2.0
1.2.0-rc1
1.2.0-rc2
1.3.0
1.3.3
1.3.4
1.3.5
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.6.0
1.6.1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1
1.8.2
1.9.0
1.9.1
2.*
2.0.0
2.0.0-beta.1
2.0.0-beta.2
2.0.0-beta.3
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.3.0-beta.1
2.3.0-beta.2
2.3.0-beta.3
2.3.0-beta.4
2.3.1
2.3.2
2.3.3
2.3.4
2.4.0
2.4.1
2.4.10
2.4.11
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27602.json"