{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29142", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2026-03-04T09:08:07.342Z", "datePublished": "2026-04-02T08:44:51.968Z", "dateUpdated": "2026-04-02T13:31:40.126Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2026-04-02T08:44:51.968Z"}, "title": "Plaintext secure-mail.html", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-325", "description": "CWE-325 Missing Cryptographic Step", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-194", "descriptions": [{"lang": "en", "value": "CAPEC-194 Fake the Source of Data"}]}], "affected": [{"vendor": "SEPPmail", "product": "Secure Email Gateway", "versions": [{"status": "affected", "version": "0", "lessThan": "15.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "15.0.3"}]}]}], "descriptions": [{"lang": "en", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email."}]}], "references": [{"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"}}], "timeline": [{"time": "2025-10-31T14:22:00.000Z", "lang": "en", "value": "Vulnerability disclosed to SEPPmail"}, {"time": "2026-03-03T00:00:00.000Z", "lang": "en", "value": "Version 15.0.3 released"}], "credits": [{"lang": "en", "value": "Andris Suter-D\u00f6rig", "type": "finder"}, {"lang": "en", "value": "Matteo Scarlata", "type": "coordinator"}, {"lang": "en", "value": "Kenny Paterson", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:21:07.474508Z", "id": "CVE-2026-29142", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:31:40.126Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:21:07.474508Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:21:20.438Z"}}], "cna": {"title": "Plaintext secure-mail.html", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Andris Suter-D\u00f6rig"}, {"lang": "en", "type": "coordinator", "value": "Matteo Scarlata"}, {"lang": "en", "type": "coordinator", "value": "Kenny Paterson"}], "impacts": [{"capecId": "CAPEC-194", "descriptions": [{"lang": "en", "value": "CAPEC-194 Fake the Source of Data"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SEPPmail", "product": "Secure Email Gateway", "versions": [{"status": "affected", "version": "0", "lessThan": "15.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T14:22:00.000Z", "value": "Vulnerability disclosed to SEPPmail"}, {"lang": "en", "time": "2026-03-03T00:00:00.000Z", "value": "Version 15.0.3 released"}], "references": [{"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email.", "supportingMedia": [{"type": "text/html", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-325", "description": "CWE-325 Missing Cryptographic Step"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "15.0.3", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2026-04-02T08:44:51.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29142", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:31:40.126Z", "dateReserved": "2026-03-04T09:08:07.342Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2026-04-02T08:44:51.968Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:seppmail:secure_email_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3729650-81CA-4311-94BF-14A7A191F8D1", "versionEndExcluding": "15.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email."}], "id": "CVE-2026-29142", "lastModified": "2026-04-16T19:00:35.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2026-04-02T09:16:22.957", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Release Notes"], "url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-325"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,15.0.3)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 87.0, "source": "matching"}]}, "original": {"product": "Secure Email Gateway", "source": "cna", "vendor": "SEPPmail"}, "product": "seppmail_secure_email_gateway", "vendor": "seppmail"}], "analysis": {"en": {"generated_at": "2026-04-02T10:24:42.001464+00:00", "value": {"mitigation_remediation": ["Upgrade SEPPmail Secure Email Gateway to version 15.0.3 or later", "If upgrade is delayed, restrict or disable GINA encryption for outbound emails until the patch is applied", "Validate email integrity using vendor\u2011provided verification tools", "Monitor mail logs for unexpected or forged GINA\u2011encrypted messages"], "summary": {"action": "Patch", "impact": "Forged GINA\u2011encrypted emails can appear genuine to recipients"}, "threat_synthesis": {"affected_systems": "The affected product is SEPPmail Secure Email Gateway. Any installation running a version prior to 15.0.3 is vulnerable; versions 15.0.3 and later include the fix.", "description_and_impact": "SEPPmail Secure Email Gateway releases earlier than 15.0.3 contain a flaw that permits an attacker to forge a GINA\u2011encrypted email. The vulnerability allows the construction of an email that satisfies the encryption verification process while containing arbitrary content. Consequently, an adversary could send spoofed, apparently legitimate messages, potentially deceiving recipients, facilitating phishing, or delivering malicious payloads under the guise of a secure channel. The weakness is consistent with the Missing Authentication for Network Services enumeration (CWE\u2011325).", "risk_and_exploitability": "The CVSS base score of 6.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to create or manipulate a GINA\u2011encrypted email that passes validation, which likely requires knowledge of the email format and encryption scheme. The vulnerability\u2019s potential to forge authenticated messages places it in the moderate\u2011to\u2011high risk quadrant, especially for environments that rely heavily on encrypted email for confidentiality and integrity."}}}}, "created": "2026-04-02T20:15:29.109105+00:00", "title": "Forged GINA\u2011Encrypted Email Vulnerability in SEPPmail Secure Email Gateway", "updated": "2026-04-02T20:22:04.817147+00:00", "vendors": ["seppmail", "seppmail$PRODUCT$seppmail_secure_email_gateway"]}