CVE-2026-27602

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27602

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27602.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-27602

Aliases

GHSA-wwv8-cqpr-vx3m

Published

2026-03-25T18:49:25.825Z

Modified

2026-03-27T10:46:29.136587Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Modoboa has an OS Command Injection

Details

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27602.json"
}

References

Affected packages

Git / github.com/modoboa/modoboa

Affected ranges

Type

GIT

Repo

https://github.com/modoboa/modoboa

Events

Introduced

Fixed

3af49cff5d36de896e1c5c56a98786ce413d0c3f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.1"
        }
    ]
}

Affected versions

0.*

0.1

0.2

0.3

0.5

0.6

0.6.1

0.7

0.7.1

0.7.2

0.8

0.8-rc1

0.8-rc2

0.8.1

0.8.2

0.8.3

0.8.3-rc1

0.8.4

0.8.5

0.8.6

0.8.6.1

0.8.7

0.8.8

0.9

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.11.0

1.11.1

1.12.0

1.12.1

1.12.2

1.13.0

1.13.1

1.14.0

1.15.0

1.16.0

1.16.1

1.17.0

1.2.0

1.2.0-rc1

1.2.0-rc2

1.2.1

1.2.2

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.9.1

2.*

2.0.0

2.0.0-beta.1

2.0.0-beta.2

2.0.0-beta.3

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.0-beta.1

2.3.0-beta.2

2.3.0-beta.3

2.3.0-beta.4

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.4.0

2.4.1

2.4.10

2.4.11

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.5.0

2.5.1

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.7.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27602.json"