CVE-2026-41113 is a remote code execution vulnerability in the sagredo-dev/qmail fork, affecting versions before 2026.04.07, specifically reported as v2024.10.26 through v2026.04.02. The flaw is in qmail-remote.c, in the TLS error handler tls_quit(), within the notlshosts_auto logic added in October 2024. When TLS delivery fails, the code constructs a shell command using sprintf() that includes the remote MX hostname and executes it via popen(). The hostname value, partner_fqdn, is attacker-controlled through DNS MX data. Although the implementation wraps the hostname in single quotes, this is insufficient because DNS labels can contain bytes that survive glibc dn_expand() decoding, including single quotes and shell metacharacters. A malicious MX hostname can therefore break out of the quoted context and inject arbitrary shell commands. Successful exploitation occurs when the target qmail server attempts delivery to an attacker-controlled domain and a TLS failure triggers tls_quit().
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote code execution vulnerability in sagredo qmail before version 2026.04.07 caused by use of popen in notlshosts_auto within qmail-remote.c.
A remote code execution vulnerability in sagredo's qmail fork caused by shell command injection in the notlshosts_auto feature. An attacker can control the remote hostname via DNS MX records, trigger a TLS failure during mail delivery, and cause qmail to execute attacker-controlled shell syntax via popen().
A command injection vulnerability in qmail related to processing attacker-controlled MX/DNS data that is passed into popen(), enabling shell command execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.