CVE-2026-26930

High

Published: 16 February 2026

Published

16 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0001 2.6th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26930 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Smartertools (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

XSS in public-facing SmarterMail web/MAPI interface directly enables remote exploitation of the web app (T1190); the core effect is attacker-controlled JavaScript execution inside victim browsers (T1059.007) that commonly results in session hijacking (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.

Deeper analysisAI

CVE-2026-26930 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting SmarterTools SmarterMail versions prior to 9526. The flaw arises from improper handling of MAPI requests, enabling malicious script injection. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change.

Unauthenticated attackers can exploit this vulnerability remotely over the network by sending crafted MAPI requests to a vulnerable SmarterMail instance. Successful exploitation allows execution of arbitrary scripts in the context of affected users' browsers, potentially leading to low-level impacts on confidentiality and integrity, such as limited data exposure or modification, without affecting availability.

SmarterTools addresses the issue in release 9526, as detailed in their release notes. Security practitioners should upgrade to version 9526 or later, available via the current release notes page. Additional details appear in a Full Disclosure mailing list post from February 2026.