CVE-2026-7807

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterMail versions prior to 9560

Description An issue in the '/api/v1/report/summary/{type}' API endpoint allows authenticated users to perform local file inclusion, enabling the reading of arbitrary .json files on the system. This can be combined with hardcoded keys and weak encryption algorithms to decrypt and access stored passwords and 2FA secrets for all users.

Recommendations Update to build 9560 or later. Restrict access to the '/api/v1/report/summary/{type}' API endpoint to minimize the risk of exploitation.