SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

AI Analysis

Local file inclusion vulnerability in SmarterMail API

Basic Information

ID CVE-2026-7807

Source VulnCheck

Published May 8, 2026 at 19:54

Affected Product

Vendor SmarterTools Inc.

Product SmarterMail

Affected Versions SmarterTools Inc. SmarterMail 0

CWE Classification

CWE-22

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor SmarterTools Inc.

Product SmarterMail

Version < 9560

References

{
    "lastseen": "",
    "description": "SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.",
    "published": "2026-05-08T19:54:33.363Z",
    "modified": "2026-05-08T19:54:33.363Z",
    "type": "cve",
    "title": "SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API",
    "source": "VulnCheck",
    "references": "https://www.smartertools.com/smartermail/release-notes/current\nhttps://www.vulncheck.com/advisories/smartertools-smartermail-build-9560-server-local-file-inclusion-via-the-api-v1-report-summary-type-api",
    "id": "CVE-2026-7807",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "SmarterTools Inc. SmarterMail 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SmarterMail",
    "version": "0",
    "vendor": "SmarterTools Inc.",
    "ai_description": "Local file inclusion vulnerability in SmarterMail API",
    "ai_severity": "High",
    "ai_vendor": "SmarterTools Inc.",
    "ai_product": "SmarterMail",
    "ai_version": "< 9560",
    "ai_score": 8.7
}

SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API_CVE-2026-7807