Description
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to hide security tags from users by crafting a long subject.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Tag suppression causing potential data leakage
Action: Apply patch
AI Analysis

Impact

SEPPmail Secure Email Gateway versions before 15.0.3 allow an attacker to craft an email with an excessively long subject line. The gateway fails to properly validate the length of the subject and, as a result, removes or suppresses the security tags that would normally be attached to the message. This flaw means that messages that should be flagged for handling or compliance may be treated as ordinary email, increasing the risk of confidential information being delivered outside of intended controls. The weakness is classified as CWE‑20, improper input validation.

Affected Systems

The vulnerability affects SEPPmail Secure Email Gateway installations running any firmware version older than 15.0.3. No other vendor or product variations are listed in this CVE.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is unavailable and the vulnerability is not in CISA’s KEV catalog, suggesting limited widespread exploitation so far. The likely attack vector is simple: a sender can transmit a crafted email with a subject longer than the gateway expects. While the flaw does not provide remote code execution or privilege escalation, it can bypass automated tagging, leading to potential policy violations or data leakage. Organizations with automated security tagging should consider the risk of misclassification as part of their overall threat model.

Generated by OpenCVE AI on April 2, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SEPPmail Secure Email Gateway to version 15.0.3 or later.
  • If an upgrade cannot be performed immediately, enforce a policy that limits the maximum subject length or reject messages exceeding the threshold.
  • Review email logs for unusually long subject lines and investigate suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to hide security tags from users by crafting a long subject.
Title Long Subject Untagging
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-20
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-02T13:31:46.465Z

Reserved: 2026-03-04T09:08:03.277Z

Link: CVE-2026-29137

cve-icon Vulnrichment

Updated: 2026-04-02T13:22:35.806Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:22.120

Modified: 2026-04-02T09:16:22.120

Link: CVE-2026-29137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:05Z

Weaknesses