CVE-2025-43920 PUBLISHED

Assigner: mitre
Reserved: 19.04.2025 Published: 20.04.2025 Updated: 20.04.2025

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	GNU
Product	Mailman
Versions	Default: unknown Version 2.1.39 is affected

References

https://code.launchpad.net/~mailman-coders/mailman/2.1
https://github.com/0NYX-MY7H/CVE-2025-43920

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE