CVE-2026-44128
Description
SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's eval.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote code execution in SEPPmail Secure Email Gateway's GINA UI via Perl eval injection, fixed in version 15.0.2.1.
CVE-2026-44128 is a critical vulnerability in the SEPPmail Secure Email Gateway's new GINA web interface. An endpoint passes attacker-controlled input from a parameter directly to Perl's eval function, allowing arbitrary code execution without authentication [2].
The vulnerability is exploitable by sending a crafted HTTP request to the vulnerable endpoint. No authentication is required, and the attacker does not need prior access to the system. The input is not sanitized before being evaluated by Perl, enabling injection of arbitrary Perl code [2].
Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server. This can lead to full compromise of the email gateway, including access to all emails and sensitive data [2].
The vendor addressed the vulnerability in version 15.0.2.1 of the SEPPmail Secure Email Gateway. Users are advised to upgrade immediately. No workarounds are available [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <15.0.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
1- SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic AccessThe Hacker News · May 19, 2026