What the vulnerability does
01Description
sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.
CVSS base score
8.1/10
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Key dates
02Disclosure timeline
April 16, 2026
CVE published
April 18, 2026
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2022-1440 Command Injection vulnerability in git-interface@2.1.1 in yarkeev/git-interface
CVE-2025-11202 win-cli-mcp-server resolveCommandPath Command Injection Remote Code Execution Vulnerability
CVE-2023-26490 mailcow is vulnerable to shell command injection via xoauth2 authentication in imapsync
CVE-2025-34286 Nagios XI < 2026R1 RCE via Run Check Command in CCM
CVE-2021-3058 PAN-OS: OS Command Injection Vulnerability in Web Interface XML API
