CVE-2026-26930
published 2026-02-16CVE-2026-26930: SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
PriorityP338high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EPSS
0.29%
21.1th percentile
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartertools | smartermail | < 9526 | 9526 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-24423 [CRITICAL] CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24423 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Source : NVD
## 9.3
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.5
Exploitation Probability (EPSS) 66.4
Affected packages and libraries
cpe:2.3:a:smartertools:smarterma
Wiz
CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-52691 [CRITICAL] CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52691 :
SmarterTools SmarterMail vulnerability analysis and mitigation
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Source : NVD
## 10
Score
Published December 29, 2025
Severity CRITICAL
CNA Score 10.0
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 99.4
Exploitation Probability (EPSS) 87.3
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
Windows Severity CRITICAL Has Fix Added at: Jan 02, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 04, 2026
Wiz
CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-26930 [CRITICAL] CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26930 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Source : NVD
## 7.2
Score
Published February 16, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
NVD
Windows Severity HIGH Has Fix Added at: Feb 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related SmarterTools SmarterMail vulnerab
Wiz
CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25067 [CRITICAL] CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25067 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.
Source : NVD
## 6.9
Score
Published January 29, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit No
Has CISA KEV
Wiz
CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23760 [CRITICAL] CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23760 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Source
2026-02-16
Published