RCE in Sagredo qmail Fork via MX Hostname Shell Injection
A high-severity vulnerability tracked as CVE-2026-41113 allows remote code execution in the sagredo-dev/qmail fork by injecting shell metacharacters into MX hostnames processed by qmail-remote. The flaw is in the tls_quit() path, where the notlshosts_auto feature added in 2024 builds a shell command from attacker-controlled DNS data and executes it with popen(). If a target server sends mail to a domain whose DNS is controlled by an attacker, a malicious MX record can trigger command execution as the qmailr user when control/notlshosts_auto is enabled.
The issue affects sagredo-dev/qmail versions v2024.10.26 through v2026.04.02 and was fixed in v2026.04.07 in commit 749f607. Public disclosures describe proof-of-concept exploitation using crafted MX values such as x'\id>/tmp/pwned`'y.evil.com`, and the flaw has been assigned a CVSS 3.1 score of 8.2. Advisories and follow-on reporting say technical details and exploit code were published alongside the disclosure, increasing the urgency for operators of the Sagredo fork to upgrade immediately.
Timeline
Apr 7, 2026
Public disclosure and PoC details published for CVE-2026-41113
By the time of disclosure, public technical details, proof-of-concept setup, and exploit code for CVE-2026-41113 were referenced in a Calif.io blog post and a GitHub repository. The issue was publicly described as a high-severity remote code execution vulnerability in the sagredo fork of qmail.
Apr 7, 2026
Fix released for CVE-2026-41113 in qmail v2026.04.07
On 2026-04-07, sagredo-dev/qmail fixed the vulnerability in release v2026.04.07, including commit 749f607. The fix addressed the unsafe shell command construction in qmail-remote's tls_quit() handling of MX-derived hostnames.
Oct 26, 2024
CVE-2026-41113 affects sagredo-dev/qmail releases
The command injection flaw tracked as CVE-2026-41113 affected sagredo-dev/qmail versions from v2024.10.26 through v2026.04.02. An attacker controlling DNS for a recipient domain could inject shell metacharacters via an MX hostname and achieve remote code execution as the qmailr user when control/notlshosts_auto was enabled.
Oct 26, 2024
Sagredo adds notlshosts_auto logic to qmail-remote
In October 2024, the sagredo-dev/qmail fork introduced the notlshosts_auto feature in qmail-remote. This logic later proved vulnerable because it built a shell command from MX hostnames and executed it with popen().
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
2 more from sources like github web and oss security mailing list
Related Stories
Critical Unauthenticated RCE Flaws Disclosed in Openfind MailGates and Sagredo qmail
Openfind **MailGates/MailAudit** and **Sagredo qmail** were disclosed with critical remote code execution vulnerabilities that could let attackers compromise exposed mail infrastructure. **CVE-2026-6350** affects Openfind MailGates/MailAudit and is a stack-based buffer overflow (`CWE-121`) that allows an unauthenticated remote attacker to control execution flow and run arbitrary code. The flaw carries a **CVSS v3.1** score reflecting network exploitation with no privileges or user interaction and high impact across confidentiality, integrity, and availability, and was referenced in advisories published by **TWCERT/CC**. A second flaw, **CVE-2026-41113**, affects **Sagredo qmail** versions before `2026.04.07` and enables remote code execution through `tls_quit` because `qmail-remote.c` uses `popen` in the `notlshosts_auto` component, a command injection issue tracked as `CWE-78`. The vulnerability was documented with references to public research, a GitHub publications repository, the fixing commit, pull request `#42`, and the patched `v2026.04.07` release, giving defenders a clear remediation path while underscoring the risk to internet-facing email systems.
2 weeks ago
Unauthenticated SMTP RCE Flaws Expose Tabs Mail Carrier and Zimbra
Two high-severity vulnerabilities were disclosed in mail server software that allow **unauthenticated remote code execution** through crafted SMTP input. `CVE-2019-25646` affects **Tabs Mail Carrier 2.5.1**, where an oversized `MAIL FROM` parameter triggers a **buffer overflow** on the SMTP service listening on port 25. The flaw can overwrite the `EIP` register and enable execution of attacker-controlled payloads, including a bind shell, giving remote attackers a direct path to code execution. A second flaw, `CVE-2025-71275`, affects **Zimbra Collaboration Suite 8.8.15** in the **PostJournal** service. In that case, improper sanitization of the SMTP `RCPT TO` parameter allows **command injection** via shell expansion syntax, leading to arbitrary command execution under the Zimbra service account. Both issues were classified with high impact across confidentiality, integrity, and availability, underscoring the risk posed by exposed SMTP services that process untrusted sender and recipient fields without adequate bounds checking or input sanitization.
1 months ago
Critical Remote Code Execution Vulnerability in SmarterMail
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, has been identified in SmarterMail, affecting Build 9406 and earlier. This flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, enabling them to execute remote code and potentially gain full control over compromised systems. The vulnerability has been assigned a CVSS score of 10.0, indicating maximum severity, and poses a significant risk of unauthorized access, data exfiltration, malware deployment, and lateral movement within affected networks. SmarterTools has released Build 9413 to address this issue, and immediate patching is strongly advised to mitigate the threat. The vulnerability was discovered by Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT), with responsible disclosure coordinated by the Cyber Security Agency (CSA) of Singapore. Security advisories from both SmarterTools and the Canadian Centre for Cyber Security urge all users and administrators to verify their SmarterMail version and apply the update to Build 9413 or later without delay. Failure to patch leaves organizations exposed to active exploitation and potential compromise of sensitive email communications and infrastructure.
1 months ago