CVE-2026-7864 is a medium-severity information disclosure issue in SEPPmail Secure Email Gateway before version 15.0.4. An unauthenticated endpoint in the new GINA UI can expose server environment variables, which may reveal sensitive system details to remote attackers. The supplied metadata maps this to CWE-497 and shows no Known Exploited Vulnerabilities (KEV) listing in the provided corpus.
CVE-2026-44129 affects SEPPmail Secure Email Gateway before version 15.0.4. The issue is a server-side template injection vulnerability in the new GINA UI: an endpoint accepts attacker-controlled template input, which can let a remote attacker execute arbitrary template expressions. Depending on which template plugins are enabled, the impact may extend to remote code execution. NVD lists the vulnerability [truncated]
SEPPmail Secure Email Gateway versions prior to 15.0.4 contain an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview. The flaw allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process. The vulnerability was published on 2026-05-08 and last modified on 2026-05 [truncated]
SEPPmail Secure Email Gateway versions prior to 15.0.4 contain a critical insecure deserialization vulnerability (CWE-502) in the new GINA UI that enables unauthenticated remote code execution. The vulnerability stems from improper handling of untrusted serialized data, allowing attackers to execute arbitrary code by submitting crafted serialized objects to the affected interface. With a CVSS 4.0 score of [truncated]
SEPPmail Secure Email Gateway versions prior to 15.0.4 contain a critical authorization bypass vulnerability in the new GINA UI. Multiple endpoints fail to enforce authentication requirements, allowing unauthenticated remote attackers to access administrative functionality that should require a valid session. The vulnerability was disclosed on 2026-05-08 and last modified on 2026-05-18. The vendor has rel [truncated]