CVE-2025-43920

CWE-78OS Command Injection4 documents4 sources
Severity
8.1HIGH
EPSS
1.4%
top 19.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Mailman
Timeline
PublishedApr 20

Description

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.7

Affected Packages2 packages

NVDgnu/mailman2.1.12.1.39
CVEListV5gnu/mailman2.1.39

🔴Vulnerability Details

3
OSV
CVE-2025-43920: GNU Mailman 22025-04-20
CVEList
CVE-2025-43920: GNU Mailman 22025-04-20
GHSA
GHSA-35m2-m3ch-fgh4: GNU Mailman 22025-04-20
CVE-2025-43920 (HIGH CVSS 8.1) | GNU Mailman 2.1.39 | cvebase.io