HIGH
sagredo
CVE published 2026-04-16
CVE-2026-41113
A command injection vulnerability exists in sagredo qmail before version 2026.04.07. The flaw resides in the `notlshosts_auto` function within `qmail-remote.c`, which uses `popen()` to execute a command constructed with attacker-influenced input from the `tls_quit` mechanism. This allows remote unauthenticated attackers to achieve code execution on affected mail servers. The vulnerability was disclosed in [truncated]