PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44129 SEPPmail AG CVE debrief

CVE-2026-44129 affects SEPPmail Secure Email Gateway before version 15.0.4. The issue is a server-side template injection vulnerability in the new GINA UI: an endpoint accepts attacker-controlled template input, which can let a remote attacker execute arbitrary template expressions. Depending on which template plugins are enabled, the impact may extend to remote code execution. NVD lists the vulnerability as HIGH severity and deferred, so vendor guidance and the referenced release notes should be used for confirmation and remediation timing.

Vendor
SEPPmail AG
Product
Secure Email Gateway
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-18
Advisory published
2026-05-08
Advisory updated
2026-05-18

Who should care

Organizations running SEPPmail Secure Email Gateway, especially administrators of deployments that expose or use the new GINA UI and any environment where template plugins are enabled. Security teams should also review internet-facing gateways and systems that process untrusted template-related input.

Technical summary

The flaw is described as a server-side template injection (SSTI) issue in the new GINA UI. According to the supplied description, an endpoint accepts attacker-controlled template data, allowing arbitrary template expression execution. NVD’s record references SEPPmail release notes and third-party analysis, and includes a CVSS v4.0 vector indicating network reachability with no privileges or user interaction required. The practical impact depends on the runtime template plugin set; with certain plugins enabled, the vulnerability may be exploitable for remote code execution.

Defensive priority

High. This is a remotely reachable injection flaw in a gateway product, and the stated impact can include code execution depending on configuration. Prioritize patching and exposure review.

Recommended defensive actions

  • Upgrade SEPPmail Secure Email Gateway to version 15.0.4 or later.
  • Review whether the new GINA UI is exposed to untrusted users or networks and restrict access where possible.
  • Audit enabled template plugins and disable any nonessential plugins until the environment is fully patched and validated.
  • Inspect logs and telemetry for unusual template input, failed render attempts, or unexpected template expression usage.
  • Confirm remediation steps against the SEPPmail release notes and NVD reference material.
  • If patching is delayed, apply compensating controls such as network restrictions and tighter administrative access to reduce exposure.

Evidence notes

The summary is based on the supplied CVE description and the official NVD record, which cites SEPPmail release notes (downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security) and a third-party technical write-up (labs.infoguard.ch). The CVE published date used here is 2026-05-08, matching the supplied timeline. NVD marks the record as deferred, so some details are intentionally limited and should be validated against vendor guidance.

Official resources

Public CVE record published on 2026-05-08; NVD lists the vulnerability as deferred. Use the vendor release notes and official CVE/NVD records for remediation validation.