Description
Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.
Published: 2026-03-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: OS Command Injection enabling arbitrary command execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in Modoboa’s exec_cmd function, which invokes subprocess calls with shell=True and directly incorporates domain names into the command string without sanitization. An attacker who can modify a domain name—such as a Reseller or SuperAdmin—can inject shell metacharacters to execute arbitrary operating‑system commands, compromising confidentiality, integrity and availability of the host system.

Affected Systems

All Modoboa mail hosting deployments running a version earlier than 2.7.1 are affected, provided the user has Reseller or SuperAdmin permissions to create or edit domain names. Vendors and users of Modoboa should verify the running version and apply the 2.7.1 release, which removes the unsanitized shell invocation.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity; the EPSS score of less than 1% suggests low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Inference indicates that an attacker can exploit the vulnerability remotely through the web interface by configuring a domain name that contains shell metacharacters, allowing execution of arbitrary commands on the server.

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Modoboa patch version 2.7.1 or later
  • Verify all instances run only post‑2.7.1 releases
  • Limit or review Reseller and SuperAdmin privileges to restrict domain name changes
  • Monitor system logs for unexpected shell execution patterns

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wwv8-cqpr-vx3m Modoboa has OS Command Injection
History

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Modoboa
Modoboa modoboa
Vendors & Products Modoboa
Modoboa modoboa

Wed, 25 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.
Title Modoboa has an OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Modoboa Modoboa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:38:37.459Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27602

cve-icon Vulnrichment

Updated: 2026-03-26T15:38:28.266Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:48.430

Modified: 2026-03-26T16:30:21.993

Link: CVE-2026-27602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:17Z

Weaknesses