CVE-2026-26930
Published: 16 February 2026
Summary
CVE-2026-26930 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Smartertools (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-26930 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting SmarterTools SmarterMail versions prior to 9526. The flaw arises from improper handling of MAPI requests, enabling malicious script injection. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change.
Unauthenticated attackers can exploit this vulnerability remotely over the network by sending crafted MAPI requests to a vulnerable SmarterMail instance. Successful exploitation allows execution of arbitrary scripts in the context of affected users' browsers, potentially leading to low-level impacts on confidentiality and integrity, such as limited data exposure or modification, without affecting availability.
SmarterTools addresses the issue in release 9526, as detailed in their release notes. Security practitioners should upgrade to version 9526 or later, available via the current release notes page. Additional details appear in a Full Disclosure mailing list post from February 2026.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7682
Vulnerability details
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing SmarterMail web/MAPI interface directly enables remote exploitation of the web app (T1190); the core effect is attacker-controlled JavaScript execution inside victim browsers (T1059.007) that commonly results in session hijacking (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted MAPI request inputs to block script injection that causes this XSS flaw.
Requires filtering or encoding of information returned to browsers, neutralizing malicious scripts injected via the vulnerable MAPI path.
Mandates timely application of the vendor-supplied update (v9526) that corrects the improper handling of MAPI requests.