CVE-2026-7807 HIGH

CVE-2026-7807: SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API

Vendor Smartertools Inc.
Product SmarterMail
Weakness CWE-22 · Path traversal
Published May 8, 2026
Last update May 11, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 11, 2026 Record updated