CVE-2026-7807
HIGHSmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API
Title source: cnaDescription
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.
References (2)
Core 2
Core References
Patch release-notes
patch
https://www.smartertools.com/smartermail/release-notes/current
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/smartertools-smartermail-build-9560-server-local-file-inclusion-via-the-api-v1-report-summary-type-api
Scores
CVSS v3
8.1
EPSS
0.0030
EPSS Percentile
21.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (2)
smartertools/smartermail
< 100.0.9560
SmarterTools Inc./SmarterMail
< 9560
Published
May 08, 2026
Tracked Since
May 09, 2026