HIGH Vulnerability

VAPT-2026-04402 | Template renderer command injection in Orbit Mail maintenance jobs

A trusted maintenance workflow in Orbit Mail passed unsanitized template directives to a shell-backed renderer, leading to authenticated remote command execution.

Case Overview

Case ReferenceVAPT-2026-04402

AuthorNoah Injection

Researcher(s)

Noah Injection

CVE(s)

CVE-2026-44002

ProductOrbit Mail Appliance

VersionOrbit Mail Appliance 7.1.0 through 7.1.5

Recommendation

Upgrade to Orbit Mail Appliance 7.1.6 and later where possible.

Workaround

Upgrade or rebuild toward Orbit Mail Appliance 7.1.6 and later.

Status

Published

Last ModifiedApr 10, 2026, 13:43 UTC

Summary

A trusted maintenance workflow in Orbit Mail passed unsanitized template directives to a shell-backed renderer, leading to authenticated remote command execution.

Affected Scope

Product

Orbit Mail Appliance

Versions

Orbit Mail Appliance 7.1.0 through 7.1.5

CVE(s)

CVE-2026-44002

How Attackers Can Misuse This

A trusted maintenance workflow in Orbit Mail passed unsanitized template directives to a shell-backed renderer, leading to authenticated remote command execution.

Root Cause

The appliance assembled a shell command by concatenating a renderer binary, template path, and user-controlled directive fields. Escaping was only applied to the template path, so directive values containing shell separators were evaluated by the maintenance job runner.

record: VAPT-2026-04402
severity: HIGH
product: Orbit Mail Appliance
target_versions: Orbit Mail Appliance 7.1.0 through 7.1.5
linked_cves: CVE-2026-44002
cvss_vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What You Can Do

Immediate Updates

Upgrade to Orbit Mail Appliance 7.1.6 and later where possible.

Treat as Compromised

Treat exposed management surfaces and previously issued credentials as potentially compromised.

Rotate Credentials

Rotate affected secrets, tokens, and privileged service credentials after remediation is applied.

Threat Hunting

Upgrade to Orbit Mail Appliance 7.1.6 or later, remove shell invocation from the renderer path, and rotate credentials stored on affected systems. Organizations should inspect maintenance task histories for unapproved directive values.

Tools

No downloadable tools or authenticated evidence packages are attached to this case.

What We Are Doing

Orbit Mail case is currently marked published, with patch status reported as published. VAPT continues to keep the public lifecycle aligned with coordinated disclosure milestones and remediation visibility.

Timeline

Date	Description
Mar 23, 2026	Submitted The researcher submitted the initial disclosure package.
Mar 31, 2026	Validated The issue was validated and reserved for coordinated disclosure.
Apr 10, 2026	Published The case was published with a public VAPT advisory and CVE writeup.

More Information

Technical writeup

Root-cause walkthrough and affected request flow.

Public reference

Vendor remediation notice

Vendor remediation and rollout guidance.

Vendor advisory