{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41113/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41113"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["qmail","rce","command-injection","CVE-2026-41113"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eSagredo qmail, a mail transfer agent (MTA), is vulnerable to a remote code execution (RCE) flaw, identified as CVE-2026-41113.  Specifically, versions prior to 2026.04.07 are affected. The vulnerability lies in the \u003ccode\u003enotlshosts_auto\u003c/code\u003e function within the \u003ccode\u003eqmail-remote.c\u003c/code\u003e file, where the \u003ccode\u003epopen\u003c/code\u003e function is used without proper sanitization, potentially allowing an attacker to inject and execute arbitrary OS commands. This vulnerability could be exploited by a remote attacker without requiring authentication, making it a critical security concern for organizations utilizing the affected qmail versions. Defenders should prioritize patching and consider implementing mitigations to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an email to a target qmail server.\u003c/li\u003e\n\u003cli\u003eThe qmail server receives the email and processes the recipient address.\u003c/li\u003e\n\u003cli\u003eDuring the delivery process, \u003ccode\u003eqmail-remote.c\u003c/code\u003e is invoked to handle remote delivery.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enotlshosts_auto\u003c/code\u003e function is called within \u003ccode\u003eqmail-remote.c\u003c/code\u003e to determine if TLS should be used for the connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enotlshosts_auto\u003c/code\u003e function executes the \u003ccode\u003epopen\u003c/code\u003e command with a crafted input string from the email, attempting to resolve hostnames.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious commands into the hostname string, which are then executed by \u003ccode\u003epopen\u003c/code\u003e on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the qmail server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then pivot to other systems within the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41113 allows a remote attacker to execute arbitrary code on the vulnerable qmail server. This could lead to complete system compromise, data breaches, or denial-of-service conditions. Organizations using vulnerable versions of qmail are at risk of losing control of their email infrastructure and potentially exposing sensitive information. While the number of actively exploited instances is currently unknown, the high CVSS score (8.1) underscores the severity and potential for widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Sagredo qmail version 2026.04.07 or later to patch CVE-2026-41113 (reference: \u003ca href=\"https://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07\"\u003ehttps://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful compromise on the qmail server.\u003c/li\u003e\n\u003cli\u003eMonitor qmail server logs for suspicious activity, such as unusual process execution or network connections (enable process_creation and network_connection logging).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Qmail Remote Execution via popen\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-qmail-rce/","summary":"A remote code execution vulnerability exists in Sagredo qmail versions prior to 2026.04.07 due to the use of `popen` in the `notlshosts_auto` function within `qmail-remote.c`, potentially leading to OS command injection.","title":"Sagredo qmail Remote Code Execution Vulnerability (CVE-2026-41113)","url":"https://feed.craftedsignal.io/briefs/2026-04-qmail-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-41113","version":"https://jsonfeed.org/version/1.1"}