Command Injection Vulnerability in Modoboa Mail Hosting Platform
CVE-2026-27602

7.2HIGH

Key Information:

Vendor

Modoboa

Status
Modoboa
Vendor
CVE Published:
25 March 2026

What is CVE-2026-27602?

Modoboa, a mail hosting and management platform, contains a command injection vulnerability in its exec_cmd() function found in modoboa/lib/sysutils.py. This issue arises because subprocess calls are executed with shell=True, allowing attackers, such as Resellers or SuperAdmins, to embed shell metacharacters into domain names. As a result, malicious users can execute arbitrary operating system commands on the server. Users are advised to upgrade to version 2.7.1, which addresses this critical issue.

Affected Version(s)

modoboa < 2.7.1

References

https://github.com/modoboa/modoboa/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/modoboa/modoboa/commit/27a7aa133d3608f...
x_refsource_MISC
https://github.com/modoboa/modoboa/releases/tag/2.7.1
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.