A remote code execution flaw tracked as CVE-2026-41113 was disclosed in the sagredo-dev/qmail fork after researchers found that qmail-remote could build and execute a shell command from an attacker-controlled MX hostname. The bug sits in tls_quit() and was introduced by the notlshosts_auto feature added in October 2024, which automatically records hosts that fail TLS. If a target mail server sends mail to a domain whose DNS MX record is controlled by an attacker, a crafted hostname containing shell metacharacters can be passed through sprintf() into popen(), allowing arbitrary commands to run as the qmailr user when control/notlshosts_auto is enabled.
The issue affects sagredo-dev/qmail versions v2024.10.26 through v2026.04.02 and was fixed in v2026.04.07 by commit 749f607, which removes shell execution, adds stricter FQDN validation, and replaces the vulnerable logic with safer file handling using open() and snprintf(). Public writeups and a GitHub repository published technical analysis, a Docker-based reproduction environment, and proof-of-concept exploit material showing the chain from crafted DNS responses to command execution, with one example writing id output to /tmp/qmail_rce_proof. The vulnerability carries a reported CVSS 3.1 score of 8.2 (High), and maintainers advised users of the community-patched qmail fork—not original qmail 1.03—to upgrade immediately.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
A public GitHub repository released proof-of-concept exploit code, technical analysis, and a Docker-based reproduction environment for the qmail RCE. The materials demonstrated exploitation leading to creation of /tmp/qmail_rce_proof with id output as qmailr.
Researchers publicly documented the vulnerability in sagredo's qmail fork, explaining that attacker-controlled MX data could reach popen() in tls_quit() and yield code execution as qmailr. The post states the issue had been reported, assigned CVE-2026-41113, and fixed in commit 749f607 and release v2026.04.07.
sagredo-dev published release v2026.04.07, describing a security issue involving remote code execution via shell injection in the qmail-remote TLS error handler. Multiple references state this release fixed CVE-2026-41113.
A fix for the command injection vulnerability was committed in sagredo-dev/qmail as commit 749f607. The patch removed shell-based popen behavior, added safer file handling and hostname validation, and credited Diep Pham with identifying the issue.
The vulnerable notlshosts_auto logic was added to sagredo-dev/qmail in October 2024, introducing behavior that later enabled shell injection through attacker-controlled MX hostnames. Affected versions are described as starting with v2024.10.26.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourceblog.calif.io
Open sourceopennet.me
Open sourcegithub.com
Open sourcegithub.com
Open sourceseclists.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.