SmarterTools

SmarterMail

28 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2026-7807

  • EPSS 0.3%
  • Veröffentlicht 08.05.2026 19:54:33
  • Zuletzt bearbeitet 04.06.2026 15:37:22

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulne...

9.1

CVE-2026-40514

  • EPSS 0.16%
  • Veröffentlicht 27.04.2026 14:21:40
  • Zuletzt bearbeitet 04.06.2026 15:28:12

SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reduc...

7.2

CVE-2026-26930

  • EPSS 0.3%
  • Veröffentlicht 16.02.2026 16:27:14
  • Zuletzt bearbeitet 15.04.2026 00:35:42

SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.

5.3

CVE-2026-25067

  • EPSS 0.28%
  • Veröffentlicht 29.01.2026 03:38:02
  • Zuletzt bearbeitet 09.03.2026 14:29:14

SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path witho...

9.8

CVE-2026-24423

Warnung Medienbericht
  • EPSS 87.69%
  • Veröffentlicht 23.01.2026 16:53:34
  • Zuletzt bearbeitet 06.02.2026 16:45:15

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS ...

9.8

CVE-2026-23760

Warnung Medienbericht Exploit
  • EPSS 96.27%
  • Veröffentlicht 22.01.2026 14:35:17
  • Zuletzt bearbeitet 27.01.2026 16:16:55

SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token wh...

10

CVE-2025-52691

Warnung Medienbericht Exploit
  • EPSS 85.46%
  • Veröffentlicht 29.12.2025 02:15:58
  • Zuletzt bearbeitet 27.01.2026 15:28:07

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

5.4

CVE-2023-48116

Exploit
  • EPSS 0.36%
  • Veröffentlicht 21.12.2023 15:15:09
  • Zuletzt bearbeitet 21.11.2024 08:31:07

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment.

5.4

CVE-2023-48115

Exploit
  • EPSS 0.36%
  • Veröffentlicht 21.12.2023 15:15:09
  • Zuletzt bearbeitet 21.11.2024 08:31:07

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.

5.4

CVE-2023-48114

Exploit
  • EPSS 0.36%
  • Veröffentlicht 21.12.2023 15:15:09
  • Zuletzt bearbeitet 21.11.2024 08:31:07

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ charac...