CVE-2026-40514EPSS p5.0%

CVE-2026-40514CVE-2026-40514

smartertools / smartermail

Description

SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.

Scoring

CVSS 5.9 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS0.15% probability of exploitation · percentile 5.0% · 2026-06-18T12:00:27Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7807
CVE
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
CVE
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
CVE
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE
CVE-2026-29143
CVE
CVE-2026-40496
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.