CVE-2026-44127

Summary

SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process.

Affected Software

VendorProductVersion RangeStatus
SEPPmail AGSecure Email Gateway0 < 15.0.4affected

Weaknesses

  • CWE-73: CWE-73 External control of file name or path

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References