Remote Code Execution Vulnerability in Sagredo Qmail
CVE-2026-41113

8.1HIGH

Key Information:

Vendor: Sagredo
Status: Qmail
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-41113?

Sagredo Qmail prior to the 2026.04.07 release contains a vulnerability that allows remote code execution via the tls_quit function. This issue arises due to improper handling of the popen function in the qmail-remote.c file, which can be exploited by attackers to execute arbitrary code on affected systems. Users are encouraged to upgrade to the latest version to mitigate this security risk.

Affected Version(s)

qmail 2024.10.26 < 2026.04.07

References

https://blog.calif.io/p/we-asked-claude-to-audit-sagredos

https://github.com/califio/publications/tree/main/MADBugs...

https://github.com/sagredo-dev/qmail/commit/749f607f6885e...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41113 Data

JSON