Description
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge security tags using Unicode lookalike characters.
Published: 2026-04-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized email tag manipulation leading to security bypass
Action: Apply Patch
AI Analysis

Impact

SEPPmail Secure Email Gateway before version 15.0.3 accepts Unicode characters that look like standard ASCII in the subject field. This allows an attacker to bypass the gateway’s subject sanitization and forge security tags that the system uses for filtering or forwarding. The result is that the attacker can misrepresent an email’s security status, potentially causing the message to be treated as legitimate even though it should be flagged or blocked.

Affected Systems

The vulnerability affects the SEPPmail Secure Email Gateway product from SEPPmail, specifically any installations running versions earlier than 15.0.3. The affected component is the subject parsing and sanitization routine that interprets Unicode characters as if they were plain ASCII tags.

Risk and Exploitability

With a CVSS score of 7.8 the flaw is considered high severity. The exploit would be performed by sending a specially crafted email that uses lookalike Unicode characters in the subject line. EPSS data are not available, and the flaw is not listed in the CISA KEV catalog, so there is no confirmed public exploitation yet, but the vulnerability remains a significant risk pending an update.

Generated by OpenCVE AI on April 2, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SEPPmail Secure Email Gateway to version 15.0.3 or later.
  • Verify that the upgrade has been successfully applied and that subject sanitization is enforced.
  • Monitor mail logs for attempts to use forged security tags in the subject field.

Generated by OpenCVE AI on April 2, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge security tags using Unicode lookalike characters.
Title Unicode Subject Tags
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-20
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-02T13:32:54.711Z

Reserved: 2026-03-04T09:08:07.342Z

Link: CVE-2026-29144

cve-icon Vulnrichment

Updated: 2026-04-02T13:32:49.787Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:23.293

Modified: 2026-04-02T09:16:23.293

Link: CVE-2026-29144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:42Z

Weaknesses