A most serious, easily exploitable vulnerability in ClamAV versions prior to 0.91.2, recently released, could allow an attacker to compromise a system by sending an e-mail to it.

The issue is in clamav-milter, the sendmail plug-in for the anti-virus, which scans e-mail as it comes into the server. Clamav-milter doesn't properly sanitize user input. It is possible to inject shell code in the server by sending an e-mail with a specially malformed recipient field.

There are no reports of real-world exploits using this vulnerability.