CVE-2026-44129

Vulnerability

Overview

CVE-2026-44129 is a server-side template injection (SSTI) vulnerability in the new GINA UI component of SEPPmail Secure Email Gateway. The root cause is that an endpoint accepts attacker-controlled template input without proper sanitization, enabling the injection of arbitrary template expressions [1]. This flaw exists in versions prior to 15.0.4.

Exploitation

The vulnerable endpoint is accessible over the network, and the GINA UI is a web interface that may be exposed to the internet. While the description does not specify authentication requirements, the SEPPmail gateway typically allows self-registration, making it possible for an attacker to obtain an authenticated session [2]. An attacker can craft a malicious request containing template expressions that are then evaluated by the server-side template engine.

Impact

Successful exploitation allows an attacker to execute arbitrary template expressions. Depending on the enabled template plugins, this can lead to remote code execution (RCE) on the gateway appliance. An attacker could gain full control of the email gateway, potentially compromising all email traffic and stored data.

Mitigation

The vulnerability is fixed in SEPPmail Secure Email Gateway version 15.0.4.3, released on May 11, 2026 [1]. Users are strongly advised to upgrade to this version or later. No workarounds have been published.