Full Disclosure mailing list archives

----------------------------------------------------------------------------
SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
----------------------------------------------------------------------------


[-] Software Link:

https://www.smartertools.com/smartermail/business-email-server


[-] Affected Versions:

Build 9518 and prior builds.


[-] Vulnerability Description:

User input passed through the "MailboxId" GET parameter to the MAPI
endpoints is not properly sanitized before being used to generate HTML
output. This can be exploited by attackers to perform Reflected Cross-Site
Scripting (XSS) attacks which, in turn, might lead to 1-click Remote
Command Execution (RCE) attacks.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-26930.html


[-] Solution:

Upgrade to build 9526 or later.


[-] Disclosure Timeline:

[26/01/2026] - Vendor notified

[26/01/2026] - Vendor response stating "we will get this over to the
developers for evaluation"

[30/01/2026] - Vendor released build 9526

[03/02/2026] - CVE identifier requested

[16/02/2026] - CVE identifier assigned

[16/02/2026] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.org) has assigned the
name CVE-2026-26930 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-04
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• [KIS-2026-04] SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability Egidio Romano (Feb 22)