High severity8.1NVD Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-7807

Description

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

Affected products

Smartertools/Smartermailllm-fuzzy
Range: < 9560

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.smartertools.com/smartermail/release-notes/currentnvd
www.vulncheck.com/advisories/smartertools-smartermail-build-9560-server-local-file-inclusion-via-the-api-v1-report-summary-type-apinvd

News mentions

Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks
Infosecurity Magazine · Apr 7, 2026

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000