The bug in Usermin, a widely used administration console for Unix and Linux, could allow the introduction of rogue shell code when a user views a particular e-mail via the web. The attacking code would assume the privileges of the Usermin administrator.
Usermin lets users administer their own accounts on a network via a web-based interface and lets them carry out functions such as reading e-mail online.
In its advisory, Secunia gave the vulnerability a "highly critical" rating - its second most severe category.
Also affected is Webmin, a system administration tool that ships with Linux distributions such as Suse, Mandrake and Gentoo. Webmin contains Usermin functions, including the vulnerable web mail feature, Secunia said.