{"uuid": "31254886-ee1c-4b7a-b813-e274aec09cf0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50880", "type": "seen", "source": "https://gist.github.com/pyuysig/4013f4f10f74b3fded7ddf41b6d36ae5", "content": "# Vulnerability Report: CVE-2026-50880 - YouTransfer - Sendmail transport executable path can be attacker-controlled\n\n## Vulnerability Summary\nYouTransfer 1.0.6 contains a command execution issue in sendmail transport configuration. An attacker who can modify email settings can configure the sendmail transport to use an attacker-chosen executable path and then trigger /send, causing the configured executable to be run.\n\n## Affected Product\n- **Vendor**: YouTransfer Project\n- **Product**: YouTransfer\n- **Version**: 1.0.6\n- **Vulnerable Component**: /settings/email, /send, lib/youtransfer.js sendmail transporter path\n\n## Vulnerability Details\n- **Vulnerability Type**: OS Command Injection\n- **Weakness**: CWE-78\n- **Attack Conditions**: Context-dependent. Modify email settings to use the sendmail transport with an attacker-chosen executable path, then trigger /send.\n\n## Report Body\n\n### Summary\nYouTransfer 1.0.6 contains a command execution issue in sendmail transport configuration. An attacker who can modify email settings can configure the sendmail transport to use an attacker-chosen executable path and then trigger /send, causing the configured executable to be run.\n\n### Details\nThe email settings path allows the sendmail transport executable to be configured and later used by the send operation. A crafted sender address can also be reinterpreted as an option by the spawned executable in the affected path.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50880.\n3. Confirm the security result: After setting the sendmail path to a controlled executable or payload, triggering a send operation executes that path.\n\n### Impact\nCommand execution in deployments where an attacker can modify email transport settings.\n\n## Remediation\nDo not allow untrusted users to configure executable paths. Restrict sendmail path to trusted server-side configuration and pass arguments safely.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:49.000000Z"}