Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-43920

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.

Published

2025-04-20T01:15:45.867

Last Modified

2025-04-28T14:15:22.323

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-78
Type: Primary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gnu	mailman	≤ 2.1.39	Yes

References

https://code.launchpad.net/~mailman-coders/mailman/2.1 Product ([email protected])
https://github.com/0NYX-MY7H/CVE-2025-43920 Exploit, Third Party Advisory ([email protected])
https://github.com/cpanel/mailman2-python3 ([email protected])
https://www.openwall.com/lists/oss-security/2025/04/21/6 ([email protected])