Outdated Qmail Server Allows Remote Code Execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.1

Outdated Qmail Server Allows Remote Code Execution

CVE-2026-41113

Summary

A security issue in an older version of the Qmail email server may allow an attacker to execute malicious code on the server. This could potentially allow an attacker to take control of the server and perform unauthorized actions. To protect against this, update to a newer version of Qmail or disable the feature that is vulnerable.

Original title

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Original description

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

nvd CVSS3.1 8.1

Vulnerability type

CWE-78 OS Command Injection

https://blog.calif.io/p/we-asked-claude-to-audit-sagredos
https://github.com/califio/publications/tree/main/MADBugs/qmail
https://github.com/sagredo-dev/qmail/commit/749f607f6885e3d01b36f2647d7a1db88f1e...
https://github.com/sagredo-dev/qmail/pull/42
https://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07

Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026