{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29135", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2026-03-04T09:08:03.277Z", "datePublished": "2026-04-02T08:31:52.227Z", "dateUpdated": "2026-04-02T14:41:45.142Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2026-04-02T08:31:52.227Z"}, "title": "Webmail Password Tag Sanitization Bypass", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-43", "descriptions": [{"lang": "en", "value": "CAPEC-43 Exploiting Multiple Input Interpretation Layers"}]}], "affected": [{"vendor": "SEPPmail", "product": "Secure Email Gateway", "versions": [{"status": "affected", "version": "0", "lessThan": "15.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "15.0.3"}]}]}], "descriptions": [{"lang": "en", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization."}]}], "references": [{"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N"}}], "timeline": [{"time": "2025-10-31T14:22:00.000Z", "lang": "en", "value": "Vulnerability disclosed to SEPPmail"}, {"time": "2026-03-03T00:00:00.000Z", "lang": "en", "value": "Version 15.0.3 released"}], "credits": [{"lang": "en", "value": "Andris Suter-D\u00f6rig", "type": "finder"}, {"lang": "en", "value": "Matteo Scarlata", "type": "coordinator"}, {"lang": "en", "value": "Kenny Paterson", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:41:31.079621Z", "id": "CVE-2026-29135", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:41:45.142Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29135", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T14:41:31.079621Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:41:39.542Z"}}], "cna": {"title": "Webmail Password Tag Sanitization Bypass", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Andris Suter-D\u00f6rig"}, {"lang": "en", "type": "coordinator", "value": "Matteo Scarlata"}, {"lang": "en", "type": "coordinator", "value": "Kenny Paterson"}], "impacts": [{"capecId": "CAPEC-43", "descriptions": [{"lang": "en", "value": "CAPEC-43 Exploiting Multiple Input Interpretation Layers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SEPPmail", "product": "Secure Email Gateway", "versions": [{"status": "affected", "version": "0", "lessThan": "15.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T14:22:00.000Z", "value": "Vulnerability disclosed to SEPPmail"}, {"lang": "en", "time": "2026-03-03T00:00:00.000Z", "value": "Version 15.0.3 released"}], "references": [{"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization.", "supportingMedia": [{"type": "text/html", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "15.0.3", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2026-04-02T08:31:52.227Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29135", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:41:45.142Z", "dateReserved": "2026-03-04T09:08:03.277Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2026-04-02T08:31:52.227Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:seppmail:secure_email_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3729650-81CA-4311-94BF-14A7A191F8D1", "versionEndExcluding": "15.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization."}], "id": "CVE-2026-29135", "lastModified": "2026-04-16T19:03:04.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2026-04-02T09:16:21.810", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Vendor Advisory"], "url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,15.0.3)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 87.0, "source": "matching"}]}, "original": {"product": "Secure Email Gateway", "source": "cna", "vendor": "SEPPmail"}, "product": "seppmail_secure_email_gateway", "vendor": "seppmail"}], "analysis": {"en": {"generated_at": "2026-04-02T09:20:20.664698+00:00", "value": {"mitigation_remediation": ["Upgrade to SEPPmail Secure Email Gateway version 15.0.3 or later to eliminate the password\u2011tag bypass. ", "Verify that the subject sanitization functionality is operating correctly by testing sample emails with various tags. ", "Enable detailed logging for email subject parsing to detect any future bypass attempts. ", "Review and tighten any custom routing or filtering rules that might allow the injection of unvalidated tags. ", "Regularly check SEPPmail advisory releases for additional patches or related security guidance."], "summary": {"action": "Update", "impact": "Subject sanitization bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects SEPPmail Secure Email Gateway software, with all releases preceding version 15.0.3 being susceptible. Users running any older build of the gateway should consider checking their installation against this advisory.", "description_and_impact": "SEPPmail Secure Email Gateway versions prior to 15.0.3 contain an input validation flaw that allows an attacker to craft a password-tag that bypasses the gateway\u2019s subject sanitization process. This weakness, identified as CWE\u201120 (Improper Input Validation), can enable the injection of unexpected email subject content or malicious payloads, potentially compromising the confidentiality or integrity of messages and leading to unauthorized actions within the mail system.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity. Exploit probability data is currently unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves an attacker sending a crafted email that includes the malicious password-tag to the gateway; no additional authentication or privileged access is required beyond the ability to transmit such a message to the mail processor. Given the straightforward nature of the input, the risk to systems using unpatched SEPPmail versions is moderate while the potential impact could be higher if the gateway is used to forward messages broadly or to integrate with other services."}}}}, "created": "2026-04-02T20:15:32.169143+00:00", "updated": "2026-04-02T20:22:07.684620+00:00", "vendors": ["seppmail", "seppmail$PRODUCT$seppmail_secure_email_gateway"]}