CVE-2026-27602: Modoboa has OS Command Injection

March 25, 2026 (updated March 27, 2026)

exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.

References

github.com/advisories/GHSA-wwv8-cqpr-vx3m
github.com/modoboa/modoboa
github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa
github.com/modoboa/modoboa/releases/tag/2.7.1
github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m
nvd.nist.gov/vuln/detail/CVE-2026-27602

Code Behaviors & Features

Detect and mitigate CVE-2026-27602 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →