Smartertools Smartertools

  1. Vendors
  2. Smartertools

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Smartertools product.

RSS Feeds for Smartertools security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Smartertools products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Smartertools Sorted by Most Security Vulnerabilities since 2018

Smartertools Smartermail20 vulnerabilities

Smartertools Smartertrack5 vulnerabilities

Known Exploited Smartertools Vulnerabilities

The following Smartertools vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution.
CVE-2026-24423 Exploit Probability: 81.9% 		February 5, 2026
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
CVE-2025-52691 Exploit Probability: 89.9% 		January 26, 2026
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance
CVE-2026-23760 Exploit Probability: 79.9% 		January 26, 2026

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 7 vulnerabilities in Smartertools with an average score of 7.2 out of ten. Last year, in 2025 Smartertools had 1 security vulnerability published. That is, 6 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.83




Year Vulnerabilities Average Score
2026 7 7.18
2025 1 10.00
2024 0 0.00
2023 3 5.40
2022 4 6.95
2021 5 7.10
2020 0 0.00
2019 4 7.65

It may take a day or so for new Smartertools vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Smartertools Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-7807 May 08, 2026
LFI & Password Exposure in SmarterMail API SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.
Smartermail
CVE-2026-40514 Apr 27, 2026
SmarterMail DES-CBC key derivation weak via lowentropy System.Random SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.
Smartermail
CVE-2026-26930 Feb 16, 2026
SmarterMail XSS via MAPI requests (pre-9526) SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Smartermail
CVE-2026-25067 Jan 29, 2026
SmarterMail Unauth Path Coercion Enables SMB Relay on Windows SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.
Smartermail
CVE-2026-24423 Jan 23, 2026
SmarterMail RCE via ConnectToHub API - Unauthenticated Remote Code Execution SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Smartermail
CVE-2026-23760 Jan 22, 2026
SmarterMail Auth Bypass via Force Reset Password (CVE-2026-23760) SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Smartermail
CVE-2020-36926 Jan 15, 2026
SmarterTrack Info Disclosure Chat Search /Management/Chat/frmChatSearch.aspx SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers.
Smartertrack
Smartermail
CVE-2025-52691 Dec 29, 2025
Successful exploitation of the vulnerability could Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Smartermail
CVE-2023-48116 Dec 21, 2023
SmarterMail Stored XSS via Calendar Description SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment.
Smartermail
CVE-2023-48115 Dec 21, 2023
SmarterTools SmarterMail DOM XSS via messageHTML/PlainText (CVE-2023-48115) SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.
Smartermail
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.