CVE-2026-7807
published 2026-05-08CVE-2026-7807: SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows…
PriorityP355high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.30%
21.2th percentile
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartertools | smartermail | < 100.0.9560 | 100.0.9560 |
| smartertools_inc | smartermail | < 9560 | 9560 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qhw2-rfvc-fvrq: SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allo
ghsa_unreviewed·2026-05-08
CVE-2026-7807 [HIGH] CWE-22 GHSA-qhw2-rfvc-fvrq: SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allo
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.
VulDB
SmarterTools SmarterMail up to 9526 API Endpoint /api/v1/report/summary/ path traversal
vuldb·2026-05-08·CVSS 8.7
CVE-2026-7807 [HIGH] SmarterTools SmarterMail up to 9526 API Endpoint /api/v1/report/summary/ path traversal
A vulnerability was found in SmarterTools SmarterMail. It has been classified as critical. This affects an unknown part of the file /api/v1/report/summary/ of the component API Endpoint. This manipulation causes path traversal.
This vulnerability appears as CVE-2026-7807. The attack requires local access. There is no available exploit.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-08
Published