Cyber Resilience

CVE-2026-27602

HighPublic PoCRCE

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27602 is a high-severity OS Command Injection (CWE-78) vulnerability in Modoboa Modoboa. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27602 is a command injection vulnerability in Modoboa, an open-source mail hosting and management platform. The issue resides in the `exec_cmd()` function within `modoboa/lib/sysutils.py`, which executes subprocess calls with `shell=True` without sanitizing domain names that are directly incorporated into shell command strings. This affects all versions of Modoboa prior to 2.7.1 and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A Reseller or SuperAdmin user with network access to the Modoboa instance can exploit this vulnerability by injecting shell metacharacters into a domain name field. Successful exploitation allows the attacker to execute arbitrary operating system commands on the server, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as data exfiltration, modification, or server takeover.

Mitigation is available in Modoboa version 2.7.1, which patches the vulnerability by addressing the unsanitized domain name handling in shell commands. Official advisories and resources, including the GitHub security advisory (GHSA-wwv8-cqpr-vx3m), release notes for v2.7.1, and the specific commit (27a7aa133d3608fe8c25ae39125d1012c333cbfa), detail the fix and recommend immediate upgrading.

EU & UK References

Vulnerability details

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell…

more

metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection (CWE-78) via unsanitized domain input to shell=True subprocess directly enables arbitrary Unix shell command execution (T1059.004) and facilitates privilege escalation from SuperAdmin/Reseller to full system compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5208Shared CWE-78
CVE-2025-23383Shared CWE-78
CVE-2026-45255Shared CWE-78
CVE-2026-26318Shared CWE-78
CVE-2026-22277Shared CWE-78
CVE-2026-0596Shared CWE-78
CVE-2025-10589Shared CWE-78
CVE-2025-56108Shared CWE-78
CVE-2026-33641Shared CWE-78
CVE-2025-66209Shared CWE-78

Affected Assets

modoboa
modoboa
≤ 2.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of domain name inputs before use in shell commands to prevent injection of shell metacharacters via exec_cmd().

prevent

Mandates timely flaw remediation including patching Modoboa to version 2.7.1 which fixes the unsanitized domain name handling in shell commands.

prevent

Restricts domain name inputs to valid formats and characters at system boundaries, blocking shell metacharacters that enable arbitrary OS command execution.

References