{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-41113", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T22:02:09.837Z", "datePublished": "2026-04-16T22:02:10.225Z", "dateUpdated": "2026-04-16T22:37:26.591Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "qmail", "vendor": "sagredo", "versions": [{"lessThan": "2026.04.07", "status": "affected", "version": "2024.10.26", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T22:37:26.591Z"}, "references": [{"url": "https://blog.calif.io/p/we-asked-claude-to-audit-sagredos"}, {"url": "https://github.com/califio/publications/tree/main/MADBugs/qmail"}, {"url": "https://github.com/sagredo-dev/qmail/commit/749f607f6885e3d01b36f2647d7a1db88f1ef741"}, {"url": "https://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07"}, {"url": "https://github.com/sagredo-dev/qmail/pull/42"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c."}], "id": "CVE-2026-41113", "lastModified": "2026-04-16T22:16:39.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T22:16:39.103", "references": [{"source": "cve@mitre.org", "url": "https://blog.calif.io/p/we-asked-claude-to-audit-sagredos"}, {"source": "cve@mitre.org", "url": "https://github.com/califio/publications/tree/main/MADBugs/qmail"}, {"source": "cve@mitre.org", "url": "https://github.com/sagredo-dev/qmail/commit/749f607f6885e3d01b36f2647d7a1db88f1ef741"}, {"source": "cve@mitre.org", "url": "https://github.com/sagredo-dev/qmail/pull/42"}, {"source": "cve@mitre.org", "url": "https://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2024.10.26,2026.04.07)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "qmail", "source": "cna", "vendor": "sagredo"}, "product": "qmail", "vendor": "sagredo"}], "analysis": {"en": {"generated_at": "2026-04-17T02:23:48.513972+00:00", "value": {"mitigation_remediation": ["Upgrade sagredo qmail to release v2026.04.07 or later, which removes the popen call in notlshosts_auto.", "If upgrading immediately is not possible, temporarily disable the tls_quit functionality by editing the qmail configuration or removing the flag that enables it, thereby preventing the vulnerable code from executing.", "Restrict network exposure of the qmail service using firewall rules or intrusion detection so that only trusted hosts can connect, reducing the opportunity for exploitation while awaiting a patch."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is sagredo qmail, any release before the 2026.04.07 update. Those running older versions should verify their installed version and apply the v2026.04.07 release, which removes the insecure popen invocation.", "description_and_impact": "sagredo qmail versions prior to 2026.04.07 contain an OS command injection flaw in the notlshosts_auto function of qmail-remote.c. The vulnerable popen call is executed when processing the tls_quit command, enabling an attacker to supply arbitrary shell commands. Exploitation results in remote code execution with the privileges of the qmail process, potentially leading to full system compromise. The weakness corresponds to CWE\u201178.", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog; however the exploitation path is straightforward: a remote client who can establish a TLS connection to the qmail instance can issue the tls_quit command and trigger the vulnerable popen call. The attack requires only network access to the qmail service and does not require privileged local access."}}}}, "created": "2026-04-17T02:30:07.312424+00:00", "title": "TLS_QUIT Command Injection in sagredo qmail", "updated": "2026-04-17T08:01:25.434832+00:00", "vendors": ["sagredo", "sagredo$PRODUCT$qmail"]}