PT-2026-38959 · Unknown · Seppmail Secure Email Gateway
Dario Weiss
·
Published
2026-05-08
·
Updated
2026-06-05
·
CVE-2026-44127
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
SEPPmail Secure Email Gateway versions prior to 15.0.4
Description
An unauthenticated path traversal issue exists in the '/api.app/attachment/preview' endpoint. This allows remote attackers to read arbitrary local files and trigger the deletion of files within the targeted directory using the privileges of the
api.app process via the identifier parameter.Recommendations
Update to version 15.0.4 or later.
As a temporary workaround, restrict access to the '/api.app/attachment/preview' endpoint or avoid using the
identifier parameter until the update is applied.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Seppmail Secure Email Gateway