VAPTCoordinated vulnerability disclosure platformResearcher recognition, vendor coordination, and CVE support
LoginRequest CVE
HIGH Vulnerability

CVE-2026-44002

Template renderer command injection in Orbit Mail maintenance jobs

A trusted maintenance workflow in Orbit Mail passed unsanitized template directives to a shell-backed renderer, leading to authenticated remote command execution.

CVECVE-2026-44002
TitleTemplate renderer command injection in Orbit Mail maintenance jobs
Case NumberVAPT-2026-04402
Status
Published
Credits
Affected products
ProductAffectedUnaffectedUnknown
Orbit Mail Orbit Mail ApplianceOrbit Mail Appliance 7.1.0 through 7.1.5Unknown
CVSS
Base score8.6 - HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH
References
Problem type(s)
CWE / Problem TypeMITRE TacticsMITRE Techniques
  • Execution (TA0002)
  • Persistence (TA0003)
  • Command and Scripting Interpreter (T1059)
  • Server Software Component (T1505)
Date publishedApr 10, 2026
Last modifiedApr 10, 2026, 13:43 UTC

Description

The appliance assembled a shell command by concatenating a renderer binary, template path, and user-controlled directive fields. Escaping was only applied to the template path, so directive values containing shell separators were evaluated by the maintenance job runner.

Known Detection Rules

Upgrade to Orbit Mail Appliance 7.1.6 or later, remove shell invocation from the renderer path, and rotate credentials stored on affected systems. Organizations should inspect maintenance task histories for unapproved directive values.

No authenticated YARA, Sigma, or KQL detection content is attached to this CVE.

References

VAPT writeup

Public VAPT advisory linked to this CVE.

VAPT advisory
Vendor advisory

Public vendor advisory or acknowledgment linked to this CVE.

Vendor advisory
JSON Version