Description
SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it.
Published: 2026-03-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Source Spoofing and Potential Decryption of Email Content
Action: Immediate Patch
AI Analysis

Impact

SEPPmail Secure Email Gateway incorrectly interprets email addresses in message headers, which can lead to an interpretation conflict with other mail infrastructure. This flaw enables an attacker to forge the apparent sender address or to view email content that should remain confidential. The weakness is classified under CWE‑436, indicating an incorrect loop or condition that misprocesses input data.

Affected Systems

The vulnerability affects the SEPPmail Secure Email Gateway product from SEPPmail. All installations using a version prior to 15.0.1 are potentially compromised, as the patch that corrects the header parsing logic is included in release 15.0.1 and later.

Risk and Exploitability

With a CVSS base score of 7.8 the flaw is rated high severity. The EPSS score is under 1%, suggesting a low but non-zero likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would most likely exploit this by crafting a malicious email with specially constructed headers and delivering it to the gateway or to downstream mail infrastructure that interfaces with the gateway. Successful exploitation would allow the attacker to impersonate legitimate senders and/or gain access to email content that should remain confidential.

Generated by OpenCVE AI on April 17, 2026 at 13:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SEPPmail Secure Email Gateway to version 15.0.1 or newer
  • Configure the gateway to reject or quarantine emails that contain mismatched or suspicious header email addresses until the patch is applied
  • Enforce strict email authentication (SPF, DKIM, DMARC) and monitor for authentication failures to mitigate spoofing risk while the patch is pending

Generated by OpenCVE AI on April 17, 2026 at 13:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Seppmail seppmail
CPEs cpe:2.3:a:seppmail:seppmail:*:*:*:*:*:*:*:*
Vendors & Products Seppmail seppmail
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 04 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it.
Title Header Email Address Parsing
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-436
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Seppmail Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-03-04T19:28:55.122Z

Reserved: 2026-02-19T13:56:28.869Z

Link: CVE-2026-27444

cve-icon Vulnrichment

Updated: 2026-03-04T19:28:51.968Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T09:15:56.483

Modified: 2026-03-05T15:34:43.243

Link: CVE-2026-27444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses