Critical Unauthenticated RCE Flaws Disclosed in Openfind MailGates and Sagredo qmail
Openfind MailGates/MailAudit and Sagredo qmail were disclosed with critical remote code execution vulnerabilities that could let attackers compromise exposed mail infrastructure. CVE-2026-6350 affects Openfind MailGates/MailAudit and is a stack-based buffer overflow (CWE-121) that allows an unauthenticated remote attacker to control execution flow and run arbitrary code. The flaw carries a CVSS v3.1 score reflecting network exploitation with no privileges or user interaction and high impact across confidentiality, integrity, and availability, and was referenced in advisories published by TWCERT/CC.
A second flaw, CVE-2026-41113, affects Sagredo qmail versions before 2026.04.07 and enables remote code execution through tls_quit because qmail-remote.c uses popen in the notlshosts_auto component, a command injection issue tracked as CWE-78. The vulnerability was documented with references to public research, a GitHub publications repository, the fixing commit, pull request #42, and the patched v2026.04.07 release, giving defenders a clear remediation path while underscoring the risk to internet-facing email systems.
Timeline
Apr 16, 2026
CVE-2026-41113 entry published for Sagredo qmail tls_quit RCE
A new CVE entry documented a remote code execution vulnerability in Sagredo qmail's tls_quit functionality affecting versions before 2026.04.07. The record says it was received by cve@mitre.org and classifies the issue as OS command injection.
Apr 16, 2026
CVE-2026-6350 entry published for Openfind MailGates/MailAudit overflow
A new CVE entry documented a stack-based buffer overflow in Openfind MailGates/MailAudit that could let unauthenticated remote attackers control execution flow and run arbitrary code. The record notes it was received by twcert@cert.org.tw and references TWCERT/CC advisories.
Apr 7, 2026
Sagredo qmail releases version 2026.04.07 fixing tls_quit RCE
Sagredo qmail version 2026.04.07 was released to address a remote code execution flaw in tls_quit caused by use of popen in qmail-remote.c. The CVE entry states affected versions are those before 2026.04.07 and references the fixing commit, pull request #42, and the release.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
RCE in Sagredo qmail Fork via MX Hostname Shell Injection
A high-severity vulnerability tracked as **CVE-2026-41113** allows remote code execution in the `sagredo-dev/qmail` fork by injecting shell metacharacters into MX hostnames processed by `qmail-remote`. The flaw is in the `tls_quit()` path, where the `notlshosts_auto` feature added in 2024 builds a shell command from attacker-controlled DNS data and executes it with `popen()`. If a target server sends mail to a domain whose DNS is controlled by an attacker, a malicious MX record can trigger command execution as the `qmailr` user when `control/notlshosts_auto` is enabled. The issue affects `sagredo-dev/qmail` versions **v2024.10.26 through v2026.04.02** and was fixed in **v2026.04.07** in commit `749f607`. Public disclosures describe proof-of-concept exploitation using crafted MX values such as `x'\`id>/tmp/pwned\`'y.evil.com`, and the flaw has been assigned a **CVSS 3.1 score of 8.2**. Advisories and follow-on reporting say technical details and exploit code were published alongside the disclosure, increasing the urgency for operators of the Sagredo fork to upgrade immediately.
1 weeks ago
TWCERT discloses unauthenticated flaws in Openfind MailGates and Digiwin EasyFlow .NET
TWCERT published two high-severity vulnerability entries affecting enterprise software from Taiwanese vendors. **Openfind MailGates/MailAudit** is affected by `CVE-2026-6351`, a `CWE-93` **CRLF injection** flaw that can be exploited by an unauthenticated remote attacker to read system files, creating a significant confidentiality risk. The issue was documented with CVSS v3.1 and v4.0 scoring and linked to TWCERT advisory references. TWCERT also disclosed `CVE-2026-5964` in **Digiwin EasyFlow .NET**, a `CWE-89` **SQL injection** vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL commands. Successful exploitation could let attackers read, modify, or delete database contents, affecting confidentiality, integrity, and availability. Both disclosures highlight externally reachable attack paths requiring no authentication and raise immediate patching and exposure-review concerns for organizations using the affected products.
1 weeks ago
Unauthenticated SMTP RCE Flaws Expose Tabs Mail Carrier and Zimbra
Two high-severity vulnerabilities were disclosed in mail server software that allow **unauthenticated remote code execution** through crafted SMTP input. `CVE-2019-25646` affects **Tabs Mail Carrier 2.5.1**, where an oversized `MAIL FROM` parameter triggers a **buffer overflow** on the SMTP service listening on port 25. The flaw can overwrite the `EIP` register and enable execution of attacker-controlled payloads, including a bind shell, giving remote attackers a direct path to code execution. A second flaw, `CVE-2025-71275`, affects **Zimbra Collaboration Suite 8.8.15** in the **PostJournal** service. In that case, improper sanitization of the SMTP `RCPT TO` parameter allows **command injection** via shell expansion syntax, leading to arbitrary command execution under the Zimbra service account. Both issues were classified with high impact across confidentiality, integrity, and availability, underscoring the risk posed by exposed SMTP services that process untrusted sender and recipient fields without adequate bounds checking or input sanitization.
1 months ago