CVE 8.8 HIGH

Local File Inclusion (LFI) and Arbitrary File Deletion_CVE-2026-44127

May 8, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Description

SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process.

AI Analysis

Unauthenticated path traversal vulnerability allowing remote attackers to read arbitrary local files and trigger deletion of files

Basic Information

ID CVE-2026-44127

Source NCSC.ch

Published May 8, 2026 at 13:13

Affected Product

Vendor SEPPmail AG

Product Secure Email Gateway

Affected Versions SEPPmail AG Secure Email Gateway 0

CWE Classification

CWE-73

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor SEPPmail AG

Product Secure Email Gateway

Version before 15.0.4

References

downloads.seppmail.com /extrelnotes/150/ERN15.0.html

{
    "lastseen": "",
    "description": "SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process.",
    "published": "2026-05-08T13:13:05.667Z",
    "modified": "2026-05-08T13:13:05.667Z",
    "type": "cve",
    "title": "Local File Inclusion (LFI) and Arbitrary File Deletion",
    "source": "NCSC.ch",
    "references": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security",
    "id": "CVE-2026-44127",
    "bulletinFamily": "",
    "cwe": [
        "CWE-73"
    ],
    "cvelist": null,
    "sourceData": "SEPPmail AG Secure Email Gateway 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Secure Email Gateway",
    "version": "0",
    "vendor": "SEPPmail AG",
    "ai_description": "Unauthenticated path traversal vulnerability allowing remote attackers to read arbitrary local files and trigger deletion of files",
    "ai_severity": "High",
    "ai_vendor": "SEPPmail AG",
    "ai_product": "Secure Email Gateway",
    "ai_version": "before 15.0.4",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply