Description
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to inject HTML into notification emails about new CA certificates.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTML Injection
Action: Apply Patch
AI Analysis

Impact

SEPPmail Secure Email Gateway versions earlier than 15.0.3 allow an attacker to inject arbitrary HTML content into notification e‑mails that inform users of new CA certificates. The injected markup can include malicious scripts, potentially leading to cross‑site scripting or phishing attacks within the email client. This flaw falls under the Cross‑Site Scripting weakness category (CWE‑79).

Affected Systems

The affected product is SEPPmail Secure Email Gateway, applicable to all releases prior to 15.0.3. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 classifies the vulnerability as moderate. No EPSS score is available, and the issue is not recorded in the CISA KEV catalog, suggesting that immediate public exploitation is not known. Exploitation would require an attacker to influence the generation of CA‑certificate notification emails, which typically involves privileged access or the creation of a malicious certificate. Therefore, the opportunity for widespread exploitation is limited, but the impact within an organization that uses the gateway could be significant if the injection is not mitigated.

Generated by OpenCVE AI on April 2, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SEPPmail Secure Email Gateway to version 15.0.3 or later to eliminate the HTML injection flaw.

Generated by OpenCVE AI on April 2, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to inject HTML into notification emails about new CA certificates.
Title CA Notification HTML Injection
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-79
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-02T13:30:44.648Z

Reserved: 2026-03-04T09:08:03.277Z

Link: CVE-2026-29136

cve-icon Vulnrichment

Updated: 2026-04-02T13:30:38.794Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:21.963

Modified: 2026-04-02T09:16:21.963

Link: CVE-2026-29136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:40Z

Weaknesses