CVE-2026-27602

Name of the Vulnerable Software and Affected Versions Modoboa versions prior to 2.7.1

Description Modoboa is a mail hosting and management platform. The exec cmd() function in modoboa/lib/sysutils.py consistently executes subprocess calls with shell=True. Because domain names are directly incorporated into shell command strings without proper sanitization, a Reseller or SuperAdmin can inject shell metacharacters into a domain name to execute arbitrary operating system commands on the server. Specifically, the issue resides in modoboa/lib/sysutils.py:31. The vulnerability is present in several areas, including domain creation with DKIM enabled, mailbox renaming, sa-learn execution, doveadm user commands, rrdtool usage, and doveadm move/delete operations. An attacker with Reseller-level access or higher can potentially execute arbitrary OS commands as root on the mail server.

Recommendations Modoboa versions prior to 2.7.1 should be updated to version 2.7.1 or later.