Cyber Resilience

CVE-2026-26930

High

Published: 16 February 2026

Published
16 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0001 2.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26930 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Smartertools (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-26930 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting SmarterTools SmarterMail versions prior to 9526. The flaw arises from improper handling of MAPI requests, enabling malicious script injection. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change.

Unauthenticated attackers can exploit this vulnerability remotely over the network by sending crafted MAPI requests to a vulnerable SmarterMail instance. Successful exploitation allows execution of arbitrary scripts in the context of affected users' browsers, potentially leading to low-level impacts on confidentiality and integrity, such as limited data exposure or modification, without affecting availability.

SmarterTools addresses the issue in release 9526, as detailed in their release notes. Security practitioners should upgrade to version 9526 or later, available via the current release notes page. Additional details appear in a Full Disclosure mailing list post from February 2026.

EU & UK References

Vulnerability details

SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS in public-facing SmarterMail web/MAPI interface directly enables remote exploitation of the web app (T1190); the core effect is attacker-controlled JavaScript execution inside victim browsers (T1059.007) that commonly results in session hijacking (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23722Shared CWE-79
CVE-2025-68874Shared CWE-79
CVE-2025-53231Shared CWE-79
CVE-2026-22524Shared CWE-79
CVE-2025-0521Shared CWE-79
CVE-2025-15440Shared CWE-79
CVE-2025-22766Shared CWE-79
CVE-2026-22867Shared CWE-79
CVE-2025-40587Shared CWE-79
CVE-2022-50905Shared CWE-79

Affected Assets

Smartertools
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted MAPI request inputs to block script injection that causes this XSS flaw.

prevent

Requires filtering or encoding of information returned to browsers, neutralizing malicious scripts injected via the vulnerable MAPI path.

prevent

Mandates timely application of the vendor-supplied update (v9526) that corrects the improper handling of MAPI requests.

References