CVE-2026-2743
Published: 05 March 2026
Summary
CVE-2026-2743 is a critical-severity Path Traversal (CWE-22) vulnerability in Seppmail Seppmail. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2743, published on 2026-03-05, is an Arbitrary File Write vulnerability via Path Traversal in the Large File Transfer (LFT) feature of the SeppMail User Web Interface, enabling Remote Code Execution. It affects SeppMail versions 15.0.2.1 and earlier. The issue is linked to CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of authentication or user interaction requirements.
An unauthenticated remote attacker can exploit this vulnerability by uploading files through the LFT feature, leveraging path traversal to write arbitrary files to the server filesystem. This can escalate to remote code execution, granting high-impact compromise of confidentiality, integrity, and availability on the affected SeppMail instance.
Mitigation details are outlined in advisories including the SeppMail extended release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html and the Infoguard labs advisory at https://labs.infoguard.ch/advisories/seppmail.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9794
Vulnerability details
Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT). This issue affects SeppMail: 15.0.2.1 and before
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-2743 is an unauthenticated path traversal vulnerability in a public-facing web interface allowing arbitrary file writes and RCE, directly enabling T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of file paths and content during LFT uploads to block traversal sequences and dangerous file types that enable arbitrary writes and RCE.
Requires authentication and enforces access policy before permitting any LFT upload actions, eliminating the unauthenticated exploitation path described in the CVE.
Detects unauthorized file modifications on the server filesystem resulting from successful path-traversal writes before they lead to code execution.