Skip to content

[New Template] CVE-2026-6350: Openfind MailGates/MailAudit Stack Buffer Overflow RCE#15938

Closed
eyangfeng88-arch wants to merge 4 commits intoprojectdiscovery:mainfrom
eyangfeng88-arch:CVE-2026-6350
Closed

[New Template] CVE-2026-6350: Openfind MailGates/MailAudit Stack Buffer Overflow RCE#15938
eyangfeng88-arch wants to merge 4 commits intoprojectdiscovery:mainfrom
eyangfeng88-arch:CVE-2026-6350

Conversation

@eyangfeng88-arch
Copy link
Copy Markdown

@eyangfeng88-arch eyangfeng88-arch commented Apr 17, 2026

Template Information

CVE ID: CVE-2026-6350
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121 (Stack-based Buffer Overflow)

Vulnerability Description

A stack-based buffer overflow vulnerability exists in Openfind MailGates and MailAudit products. An unauthenticated remote attacker can exploit this vulnerability via network-facing input handlers, causing a buffer overflow that allows manipulation of program execution flow and corruption of critical control flow data (return addresses), leading to Remote Code Execution.

Affected Software

  • Product: Openfind MailGates / MailAudit

Detection Methods

  • Product fingerprinting via common endpoints
  • Version detection via specific version endpoints
  • Banner grabbing via HTTP response headers
  • JavaScript/CSS resource fingerprinting

References

Add CVE-2026-6350: Openfind MailGates/MailAudit Stack Buffer Overflow…
f7f321d 
… RCE

- CVSS 9.8 Critical vulnerability
- Affects Openfind MailGates and MailAudit products
- Stack-based buffer overflow leading to RCE
- CWE-121: Stack-based Buffer Overflow
@neo-by-projectdiscovery-dev
Copy link
Copy Markdown
Contributor

neo-by-projectdiscovery-dev Bot commented Apr 17, 2026
edited
Loading

Neo - Nuclei Template Review

No security issues found

Hardening Notes
  • The template has a YAML syntax error (duplicate 'matchers:' key at lines 39 and 76) that will cause parsing failure - this is a quality issue, not a security vulnerability
  • Template is placed in http/vulnerabilities/ but should follow repository convention of http/cves/2026/ for CVE templates
  • Template lacks metadata fields (max-request, verified, vendor, product) that are standard in this repository
  • Template is detection-only and does not verify the actual buffer overflow vulnerability - it only fingerprints the product

Comment @pdneo help for available commands. · Open in Neo

@github-actions github-actions Bot requested a review from pussycat0x April 17, 2026 00:13
eyangfeng88-arch and others added 3 commits April 18, 2026 01:06
fix: resolve YAML syntax error and add version comparison logic
186df33 
- Merge duplicate matchers blocks into single coherent matcher set
- Add version extraction with named 'version' extractor
- Add version comparison logic using compare_versions DSL
  - MailGates vulnerable: < 6.1.10.054
  - MailAudit vulnerable: < 5.2.10.099
- Update author from 'security-researcher' to 'eyangfeng88-arch'
@eyangfeng88-arch
fix: remove old file location
7bf33ec
@eyangfeng88-arch
fix: add corrected template in cves/2026/ with proper metadata
8558692
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pussycat0x pussycat0x Awaiting requested review from pussycat0x

Assignees

@ritikchaddha ritikchaddha

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eyangfeng88-arch @ritikchaddha