CRITICALCVE-2026-24423Published 2026-01-23Modified 2026-03-05CNA VulnCheck

CVE-2026-24423: SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 100.0.9511
Affected Products: 1

Fix available

100.0.9511

Patch commits

smartertools.com

Affected packages

SmarterTools / SmarterMail
< 100.0.9511 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

smartertools.com
code-white.com
vulncheck.com

Metrics

Fix available