Local File Inclusion Vulnerability in SmarterMail by SmarterTools
CVE-2026-7807

8.7HIGH

Key Information:

Vendor: Smartertools Inc.
Status: Smartermail
Vendor: CVE Published:; 8 May 2026

🔔 Create Smartertools Inc. Vulnerability Alert

What is CVE-2026-7807?

SmarterMail builds prior to version 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint. Authenticated users can exploit this flaw to access arbitrary .json files stored on the server. This exploitation may be especially dangerous when used alongside weak encryption algorithms and hardcoded keys, potentially allowing attackers to decrypt user passwords and two-factor authentication secrets, leading to extensive compromise of user accounts and sensitive information.

Affected Version(s)

SmarterMail 0 < 9560

References

https://www.smartertools.com/smartermail/release-notes/cu...

release-notespatch

https://www.vulncheck.com/advisories/smartertools-smarter...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 4, 2026

Credit

dninh of SACOMBANK

CVE-2026-7807 Data

JSON