CVE-2026-41113 | THREATINT

Description

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

PUBLISHED Reserved 2026-04-16 | Published 2026-04-16 | Updated 2026-04-18 | Assigner mitre

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

2024.10.26 (custom) before 2026.04.07

affected

References

www.openwall.com/lists/oss-security/2026/04/18/5

blog.calif.io/p/we-asked-claude-to-audit-sagredos

github.com/califio/publications/tree/main/MADBugs/qmail

github.com/...ommit/749f607f6885e3d01b36f2647d7a1db88f1ef741

github.com/sagredo-dev/qmail/releases/tag/v2026.04.07

github.com/sagredo-dev/qmail/pull/42

cve.org (CVE-2026-41113)

nvd.nist.gov (CVE-2026-41113)

Download JSON

help @ threatint.eu