Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization.
AnalysisAI
SEPPmail Secure Email Gateway before version 15.0.3 permits attackers to craft malicious password-tags that circumvent subject line sanitization controls, potentially enabling unauthorized email manipulation or information disclosure. The vulnerability affects all versions prior to 15.0.3 and was reported by NCSC.ch; no CVSS score or public exploit code has been published at the time of analysis.
Technical ContextAI
The vulnerability resides in SEPPmail's subject sanitization mechanism, which is responsible for filtering or encoding email subject lines to prevent injection attacks and other email-based exploits. The underlying weakness is classified as CWE-20 (Improper Input Validation), indicating that the application fails to adequately validate or filter password-tag constructs before applying them to email subjects. By crafting a specially formatted password-tag parameter, an attacker can bypass the intended sanitization logic, allowing untrusted content to be reflected in or processed by the email gateway without proper encoding. This affects the SEPPmail Secure Email Gateway product family across all versions before the patched release.
RemediationAI
Vendor-released patch: SEPPmail Secure Email Gateway version 15.0.3 or later resolves this vulnerability. Organizations should upgrade immediately from any pre-15.0.3 version to 15.0.3 or the latest available release. Detailed patch information and release notes are available at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503. No workarounds are documented; patching is the recommended remediation path.
More in Secure Email Gateway
View allSecure Email Gateway from Cellopoint has Buffer Overflow Vulnerability in authentication process. Rated critical severit
A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unau
The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Ove
Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to e
Authorization bypass in SEPPmail Secure Email Gateway versions prior to 15.0.4 enables remote unauthenticated attackers
Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secur
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to bypass subject sanitization and forge security t
SEPPmail Secure Email Gateway before version 15.0.3 fails to properly authenticate inner messages within S/MIME-encrypte
Account takeover in SEPPmail Secure Email Gateway versions before 15.0.3 allows unauthenticated attackers to reset victi
SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to bypass subject line sanitization controls
SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to inject malicious certificates into S/MIME
Path traversal in SEPPmail Secure Email Gateway versions before 15.0.5 allows authenticated remote attackers to write fi
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18150