CVE-2026-8811
published 2026-06-18CVE-2026-8811: SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new…
PriorityP340high7.1CVSS 4.0
AVNACLATPPRLUINVCNVIHVALSCNSIHSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
23.6th percentile
SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new files outside the intended directory, potentially placing files in web-accessible locations.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seppmail_ag | secure_email_gateway | < 15.0.5 | 15.0.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SEPPmail Secure Email Gateway up to 15.0.4 Attachment File path traversal
vuldb·2026-06-18
CVE-2026-8811 [CRITICAL] SEPPmail Secure Email Gateway up to 15.0.4 Attachment File path traversal
A vulnerability described as critical has been identified in SEPPmail Secure Email Gateway up to 15.0.4. The affected element is an unknown function of the component Attachment File Handler. Executing a manipulation can lead to path traversal.
This vulnerability is tracked as CVE-2026-8811. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation.
ghsa_unreviewed·2026-06-18
CVE-2026-8811 [HIGH] CWE-22 SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation.
SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new files outside the intended directory, potentially placing files in web-accessible locations.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published