Description
The GINA web interface in SEPPmail Secure Email Gateway before version 15.0.1 does not properly check attachment filenames in GINA-encrypted emails, allowing an attacker to access files on the gateway.
Published: 2026-03-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Access via Path Traversal
Action: Patch Now
AI Analysis

Impact

The Secure Email Gateway’s web interface fails to validate attachment filenames in GINA‑encrypted emails, allowing a path traversal condition. An attacker can manipulate an attachment name to reference arbitrary files on the gateway, leading to unauthorized disclosure of stored data. This weakness is classified as CWE‑22 and results in a high‑impact confidentiality compromise without affecting integrity or availability directly.

Affected Systems

The vulnerability affects SEPPmail Secure Email Gateway versions prior to 15.0.1, as reported by the vendor’s official advisory. All installations using the default web interface and processing GINA‑encrypted attachments are potentially impacted.

Risk and Exploitability

With a CVSS score of 9.3, the flaw is considered critical. The EPSS score is under 1 %, indicating low but non‑zero historical exploitation probability, and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is remote: an adversary can send a crafted GINA‑encrypted email to the gateway’s web interface, exploit the filename check failure, and read arbitrary files on the server.

Generated by OpenCVE AI on April 16, 2026 at 13:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Secure Email Gateway to version 15.0.1 or later to eliminate the unchecked filename handling.
  • Implement strict input validation on attachment filenames to reject or sanitize path traversal characters before processing.
  • Enable monitoring of file access logs and configure alerts for abnormal read attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Seppmail seppmail
CPEs cpe:2.3:a:seppmail:seppmail:*:*:*:*:*:*:*:*
Vendors & Products Seppmail seppmail
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 04 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description The GINA web interface in SEPPmail Secure Email Gateway before version 15.0.1 does not properly check attachment filenames in GINA-encrypted emails, allowing an attacker to access files on the gateway.
Title zip_attachments Path Traversal
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-22
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N'}

Subscriptions

Seppmail Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-03-04T19:08:48.610Z

Reserved: 2026-02-19T13:56:28.869Z

Link: CVE-2026-27442

cve-icon Vulnrichment

Updated: 2026-03-04T19:08:41.417Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T09:15:56.120

Modified: 2026-03-05T15:44:04.200

Link: CVE-2026-27442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses