SmarterTools SmarterMail Local File Inclusion Vulnerability in the API Report Summary Endpoint

Vulnerability

A local file inclusion vulnerability has been identified in SmarterTools SmarterMail builds prior to 9560. The issue resides within the '/api/v1/report/summary/{type}' API endpoint, where authenticated users can access arbitrary .json files on the system. This vulnerability can be exploited in conjunction with weak encryption algorithms and hardcoded keys, allowing attackers to decrypt and retrieve stored passwords and two-factor authentication secrets for all users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including passwords and two-factor authentication secrets, potentially allowing for account takeovers.

Added: May 8, 2026, 10:03 PM

Updated: May 8, 2026, 10:03 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

0.0

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

0.0

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SmarterTools SmarterMail Local File Inclusion Vulnerability in the API Report Summary Endpoint

Vulnerability

Impact

Affected Products

SmarterTools SmarterMail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating