CVE-2026-7807HIGH 8.1EPSS p21.0%

CVE-2026-7807CVE-2026-7807

smartertools / smartermail

Description

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.0% · 2026-06-19T12:03:05Z
Published2026-05-08
Last modified2026-06-04

Underlying weaknesses· 1

CWE-22

References

  1. https://www.smartertools.com/smartermail/release-notes/current
  2. https://www.vulncheck.com/advisories/smartertools-smartermail-build-9560-server-local-file-inclusion-via-the-api-v1-report-summary-type-api

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
CVE
CVE-2026-40514
CVE
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
CVE
CVE-2026-28117
CVE
SimpleHelp Path Traversal Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.