egix@karmainsecurity ~ $

SmarterMail <= 9518 (MailboxId) Reflected Cross–Site Scripting Vulnerability

• Software Link:

https://www.smartertools.com/smartermail/business-email-server

• Affected Versions:

Build 9518 and prior builds.

• Vulnerability Description:

User input passed through the “MailboxId” GET parameter to the MAPI endpoints is not properly sanitized before being used to generate HTML output. This can be exploited by attackers to perform Reflected Cross–Site Scripting (XSS) attacks which, in turn, might lead to 1–click Remote Command Execution (RCE) attacks.

• Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-26930.html

• Solution:

Upgrade to build 9526 or later.

• Disclosure Timeline:

[26/01/2026] – Vendor notified

[26/01/2026] – Vendor response stating “we will get this over to the developers for evaluation”

[30/01/2026] – Vendor released build 9526

[03/02/2026] – CVE identifier requested

[16/02/2026] – CVE identifier assigned

[16/02/2026] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.org) has assigned the name CVE-2026-26930 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.