Description
SEPPmail Secure Email Gateway before version 15.0.1 decrypts inline PGP messages without isolating them from surrounding unencrypted content, allowing exposure of sensitive information to an unauthorized actor.
Published: 2026-03-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

SEPPmail Secure Email Gateway versions prior to 15.0.1 decrypt inline PGP messages while still exposing surrounding unencrypted content. This flaw permits an attacker who can send or intercept such emails to read sensitive data that was intended to remain confidential. The weakness is a classic example of improper isolation of encrypted data, classified as CWE‑200.

Affected Systems

The vulnerability affects SEPPmail Secure Email Gateway, specifically all releases before 15.0.1. Users running any version older than 15.0.1 are susceptible to data exposure from mixed PGP/plaintext messages.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate to high impact. EPSS is listed as less than 1 percent, suggesting that exploitation is currently unlikely, and the vulnerability is not in the CISA KEV catalog. Based on the description, the most probable attack vector involves an adversary inserting a mixed‑content message into the email stream that the gateway will process, thereby leaking data to the attacker.

Generated by OpenCVE AI on April 16, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SEPPmail Secure Email Gateway to version 15.0.1 or later.
  • If an immediate upgrade is not possible, reconfigure the gateway to reject or strip emails that contain mixed plaintext and PGP-encrypted sections before decryption.
  • Perform an audit of inbound email traffic to confirm that no mixed‑content messages are being processed and verify that the gateway no longer exposes adjacent plain text to unauthorized actors.

Generated by OpenCVE AI on April 16, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Seppmail seppmail
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:seppmail:seppmail:*:*:*:*:*:*:*:*
Vendors & Products Seppmail seppmail
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 04 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.1 decrypts inline PGP messages without isolating them from surrounding unencrypted content, allowing exposure of sensitive information to an unauthorized actor.
Title PGP Mixed Plaintext and Encrypted Content
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-200
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Seppmail Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-03-04T19:38:50.677Z

Reserved: 2026-02-19T13:56:32.153Z

Link: CVE-2026-2747

cve-icon Vulnrichment

Updated: 2026-03-04T19:38:46.326Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T09:15:58.120

Modified: 2026-03-05T15:15:59.520

Link: CVE-2026-2747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses