CVE-2026-50880
Description
YouTransfer v1.0.6 allows arbitrary command execution via crafted sendmail transport settings and sender address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
YouTransfer v1.0.6 allows arbitrary command execution via crafted sendmail transport settings and sender address.
Vulnerability
In YouTransfer v1.0.6, the email configuration settings let an authenticated user set settings.email.transporter to sendmail and define sendmailPath as an arbitrary executable. When a transfer is sent via /send, lib/youtransfer.js loads these settings and invokes the configured sendmailPath to deliver the notice. The path is attacker-controllable, enabling command injection through the message fields passed as arguments [1].
Exploitation
An attacker needs the ability to modify YouTransfer's email settings—typically a privileged account or deployment where settings are exposed. The attacker sets sendmailPath to a command interpreter such as perl, then submits a transfer through /send with a crafted sender address. For example, using a local part of -esystem q(touch /tmp/yt_perl_transport_rce)# causes the perl binary to execute the system function, creating a file on the server [1].
Impact
Successful exploitation achieves arbitrary command execution with the privileges of the YouTransfer process. This can lead to full compromise of the application server, including data exfiltration, lateral movement, or further attacks. Deployments where untrusted users cannot change mail settings are not directly exploitable [1].
Mitigation
No official fix is available as of publication date (2026-06-15). The recommended workaround is to restrict access to the email settings page to trusted administrators only, enforcing strict access controls. Additionally, monitoring for unexpected changes to sendmailPath can help detect potential exploitation [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"YouTransfer passes an attacker-controlled executable path and untrusted message fields directly to the Nodemailer sendmail transport, enabling command injection."
Attack vector
An attacker who can modify YouTransfer's email settings sets `settings.email.transporter` to `sendmail` and `sendmailPath` to an arbitrary executable (e.g., `perl`). When a transfer is submitted through `/send`, the attacker crafts a sender address whose local part contains command-line arguments (e.g., `-esystem q(touch /tmp/yt_perl_transport_rce)#`). The Nodemailer sendmail transport invokes the configured executable with the crafted message fields, resulting in arbitrary command execution [ref_id=1].
Affected code
The vulnerable code is in the `/settings/email` flow, which stores `settings.email.transporter=sendmail` and `sendmailPath`, and the `/send` flow in `lib/youtransfer.js`, which loads those settings and passes them into the Nodemailer sendmail transport. The attacker-controlled values are the configured sendmail path and message fields used during transport invocation [ref_id=1].
What the fix does
The advisory does not provide a patch. The vulnerability arises because YouTransfer accepts an arbitrary executable path as `sendmailPath` and passes untrusted message content as arguments to that executable. A fix would require validating that `sendmailPath` is a known safe binary (e.g., `/usr/sbin/sendmail`) and sanitizing or escaping message fields to prevent argument injection. Without such controls, any user who can modify mail settings can achieve command execution [ref_id=1].
Preconditions
- authThe attacker must have the ability to modify YouTransfer's email settings (e.g., an authenticated account or deployment state that permits changing mail transport configuration).
- configThe attacker must set `settings.email.transporter` to `sendmail` and `sendmailPath` to a chosen executable.
- inputThe attacker must submit a transfer through `/send` with a crafted sender address containing command-line arguments.
Reproduction
Access YouTransfer 1.0.6 with an account or deployment state that can modify email settings. Set `settings.email.transporter` to `sendmail` and set `sendmailPath` to `perl`. Submit a transfer through `/send` using a sender address whose local part is shaped as `-esystem q(touch /tmp/yt_perl_transport_rce)#`. Let YouTransfer invoke the configured sendmail transport for that transfer. Observe that `/tmp/yt_perl_transport_rce` is created by the server process [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.