{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-26930", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-16T16:27:14.790Z", "datePublished": "2026-02-16T16:27:14.946Z", "dateUpdated": "2026-02-22T19:08:16.471Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SmarterMail", "vendor": "SmarterTools", "versions": [{"lessThan": "9526", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "SmarterTools SmarterMail before 9526 allows XSS via MAPI requests."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-16T16:35:18.324Z"}, "references": [{"url": "https://www.smartertools.com/smartermail/release-notes/current"}, {"url": "https://www.smartertools.com/smartermail/release-notes#9526"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:46:54.486705Z", "id": "CVE-2026-26930", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:47:01.870Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/30"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-22T19:08:16.471Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/30"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-22T19:08:16.471Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26930", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T14:46:54.486705Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:46:57.805Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SmarterTools", "product": "SmarterMail", "versions": [{"status": "affected", "version": "0", "lessThan": "9526", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.smartertools.com/smartermail/release-notes/current"}, {"url": "https://www.smartertools.com/smartermail/release-notes#9526"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "SmarterTools SmarterMail before 9526 allows XSS via MAPI requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-16T16:35:18.324Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26930", "state": "PUBLISHED", "dateUpdated": "2026-02-22T19:08:16.471Z", "dateReserved": "2026-02-16T16:27:14.790Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-16T16:27:14.946Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SmarterTools SmarterMail before 9526 allows XSS via MAPI requests."}, {"lang": "es", "value": "SmarterTools SmarterMail antes de 9526 permite XSS a trav\u00e9s de solicitudes MAPI."}], "id": "CVE-2026-26930", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-16T17:18:08.813", "references": [{"source": "cve@mitre.org", "url": "https://www.smartertools.com/smartermail/release-notes#9526"}, {"source": "cve@mitre.org", "url": "https://www.smartertools.com/smartermail/release-notes/current"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2026/Feb/30"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9526)"}}], "product": "smartermail", "vendor": "smartertools"}], "analysis": {"en": {"generated_at": "2026-04-17T19:00:53.621646+00:00", "value": {"mitigation_remediation": ["Upgrade SmarterMail to version 9526 or later following the SmarterTools release notes.", "Restrict MAPI traffic to trusted IP ranges or disable MAPI for external connections to reduce the attack surface.", "Configure application\u2011layer firewall rules to block or sanitize injected content in HTTP responses to mitigate residual XSS risk."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "SmarterTools SmarterMail products with versions earlier than 9526 are affected. The advisory lists SmarterTools as vendor and SmarterMail as product; no more detailed version range is specified beyond the mention of 9526 as the first fixed release.", "description_and_impact": "SmarterMail versions before 9526 contain a cross\u2011site scripting vulnerability that can be triggered through malformed MAPI requests. The flaw, identified as CWE\u201179, permits an attacker to inject arbitrary HTML or JavaScript into a user\u2019s browser context, enabling defacement or session hijacking if the victim interacts with the injected content. The primary impact is on confidentiality and integrity of the authenticated user session rather than full remote code execution.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity, and the EPSS score of less than 1% shows a low predicted exploitation probability at present. The vulnerability is not listed in KEV. The attack vector is inferred to require an attacker\u2019s ability to send specially crafted MAPI requests to the SmarterMail server, potentially exploiting exposed API endpoints or compromised credentials. The lack of explicit prerequisites suggests that the flaw is exploitable via network interfaces that allow MAPI traffic. The impact is limited to the victim\u2019s browser session and does not provide arbitrary code execution on the server."}}}}, "created": "2026-02-17T08:49:28.419685+00:00", "title": "XSS via MAPI Requests in SmarterMail Prior to 9526", "updated": "2026-04-17T19:15:26.243424+00:00", "vendors": ["smartertools", "smartertools$PRODUCT$smartermail"]}