CVE-2026-44127
Unauthenticated Path Traversal in SEPPmail Secure Email Gateway
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seppmail | secure_email_gateway | to 15.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SEPPmail Secure Email Gateway versions before 15.0.4. It is an unauthenticated path traversal flaw in the identifier parameter of the /api.app/attachment/preview endpoint.
Remote attackers can exploit this vulnerability to read arbitrary local files on the server and also trigger deletion of files within the targeted directory. These actions occur with the privileges of the api.app process.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized disclosure of sensitive files stored on the server, potentially exposing confidential information.
Additionally, attackers can delete files within the targeted directory, which may disrupt service availability or cause data loss.
Since the actions are performed with the privileges of the api.app process, the impact depends on the permissions granted to that process, which could be significant.