HIGHCVE-2026-7807Published 2026-05-08Modified 2026-05-11CNA VulnCheck

CVE-2026-7807: SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 9560
Affected Products: 1

Fix available

9560

Patch commits

smartertools.com

Affected packages

SmarterTools Inc. / SmarterMail
< 9560 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

smartertools.com
vulncheck.com

Metrics

Fix available