CVE-2026-44129
Server-Side Template Injection in SEPPmail Secure Email Gateway
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seppmail | secure_email_gateway | to 15.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SEPPmail Secure Email Gateway versions before 15.0.4. It is a server-side template injection issue in the new GINA UI. An attacker can send a specially crafted template to an endpoint that accepts it without proper validation, allowing the attacker to execute arbitrary template expressions on the server.
Depending on the enabled template plugins, this can lead to remote code execution, meaning the attacker could run malicious code on the affected server.
How can this vulnerability impact me? :
The vulnerability can allow remote attackers to execute arbitrary code on the server running SEPPmail Secure Email Gateway. This can lead to unauthorized access, data compromise, disruption of email services, and potentially full control over the affected system.