PatchSiren

SEPPmail AG CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM SEPPmail AG CVE published 2026-05-08

CVE-2026-7864

CVE-2026-7864 is a medium-severity information disclosure issue in SEPPmail Secure Email Gateway before version 15.0.4. An unauthenticated endpoint in the new GINA UI can expose server environment variables, which may reveal sensitive system details to remote attackers. The supplied metadata maps this to CWE-497 and shows no Known Exploited Vulnerabilities (KEV) listing in the provided corpus.

HIGH SEPPmail AG CVE published 2026-05-08

CVE-2026-44129

CVE-2026-44129 affects SEPPmail Secure Email Gateway before version 15.0.4. The issue is a server-side template injection vulnerability in the new GINA UI: an endpoint accepts attacker-controlled template input, which can let a remote attacker execute arbitrary template expressions. Depending on which template plugins are enabled, the impact may extend to remote code execution. NVD lists the vulnerability [truncated]

HIGH SEPPmail AG CVE published 2026-05-08

CVE-2026-44127

SEPPmail Secure Email Gateway versions prior to 15.0.4 contain an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview. The flaw allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process. The vulnerability was published on 2026-05-08 and last modified on 2026-05 [truncated]

CRITICAL SEPPmail AG CVE published 2026-05-08

CVE-2026-44126

SEPPmail Secure Email Gateway versions prior to 15.0.4 contain a critical insecure deserialization vulnerability (CWE-502) in the new GINA UI that enables unauthenticated remote code execution. The vulnerability stems from improper handling of untrusted serialized data, allowing attackers to execute arbitrary code by submitting crafted serialized objects to the affected interface. With a CVSS 4.0 score of [truncated]

CRITICAL SEPPmail AG CVE published 2026-05-08

CVE-2026-44125

SEPPmail Secure Email Gateway versions prior to 15.0.4 contain a critical authorization bypass vulnerability in the new GINA UI. Multiple endpoints fail to enforce authentication requirements, allowing unauthenticated remote attackers to access administrative functionality that should require a valid session. The vulnerability was disclosed on 2026-05-08 and last modified on 2026-05-18. The vendor has rel [truncated]