CVE-2026-8811 | SEPPmail versions before 15.0.5 allow improper handling of a… | CVSS 7.1 HIGH

Description

SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new files outside the intended directory, potentially placing files in web-accessible locations.

Metadata

CVE ID: CVE-2026-8811
State: PUBLISHED
Assigner: NCSC.ch
Reserved: 2026-05-18 08:15 UTC
Published: 2026-06-18 09:05 UTC
Last updated: 2026-06-18 12:14 UTC
Primary CWE: CWE-22
CWE-22
Vendor / Product: SEPPmail AG / Secure Email Gateway
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
SEPPmail AG	Secure Email Gateway	—	0 < 15.0.5

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

References (1)

https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#possible-path-traversal-vulnerability