CVE-2026-27602

HIGH 7.2

Modoboa has an OS Command Injection

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

13th

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

CWE	CWE-78
Vendor	modoboa
Product	modoboa
Published	Mar 25, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for modoboa modoboa

Be the first to know when new high vulnerabilities affecting modoboa modoboa are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

modoboa / modoboa

< 2.7.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m github.com: https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa github.com: https://github.com/modoboa/modoboa/releases/tag/2.7.1