Description
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Subject sanitization bypass
Action: Update
AI Analysis

Impact

SEPPmail Secure Email Gateway versions prior to 15.0.3 contain an input validation flaw that allows an attacker to craft a password-tag that bypasses the gateway’s subject sanitization process. This weakness, identified as CWE‑20 (Improper Input Validation), can enable the injection of unexpected email subject content or malicious payloads, potentially compromising the confidentiality or integrity of messages and leading to unauthorized actions within the mail system.

Affected Systems

The vulnerability affects SEPPmail Secure Email Gateway software, with all releases preceding version 15.0.3 being susceptible. Users running any older build of the gateway should consider checking their installation against this advisory.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. Exploit probability data is currently unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves an attacker sending a crafted email that includes the malicious password-tag to the gateway; no additional authentication or privileged access is required beyond the ability to transmit such a message to the mail processor. Given the straightforward nature of the input, the risk to systems using unpatched SEPPmail versions is moderate while the potential impact could be higher if the gateway is used to forward messages broadly or to integrate with other services.

Generated by OpenCVE AI on April 2, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SEPPmail Secure Email Gateway version 15.0.3 or later to eliminate the password‑tag bypass.
  • Verify that the subject sanitization functionality is operating correctly by testing sample emails with various tags.
  • Enable detailed logging for email subject parsing to detect any future bypass attempts.
  • Review and tighten any custom routing or filtering rules that might allow the injection of unvalidated tags.
  • Regularly check SEPPmail advisory releases for additional patches or related security guidance.

Generated by OpenCVE AI on April 2, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization.
Title Webmail Password Tag Sanitization Bypass
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-20
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-02T14:41:45.142Z

Reserved: 2026-03-04T09:08:03.277Z

Link: CVE-2026-29135

cve-icon Vulnrichment

Updated: 2026-04-02T14:41:39.542Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:21.810

Modified: 2026-04-02T09:16:21.810

Link: CVE-2026-29135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:07Z

Weaknesses