{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-27444","assignerOrgId":"455daabc-a392-441d-aa46-37d35189897c","state":"PUBLISHED","assignerShortName":"NCSC.ch","dateReserved":"2026-02-19T13:56:28.869Z","datePublished":"2026-03-04T08:47:05.758Z","dateUpdated":"2026-03-04T19:28:55.122Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Secure Email Gateway","vendor":"SEPPmail","versions":[{"lessThan":"15.0.1","status":"affected","version":"0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*","versionEndExcluding":"15.0.1","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Andris Suter-Dörig"},{"lang":"en","type":"coordinator","value":"Matteo Scarlata"},{"lang":"en","type":"coordinator","value":"Kenny Paterson"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it."}],"value":"SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it."}],"impacts":[{"capecId":"CAPEC-194","descriptions":[{"lang":"en","value":"CAPEC-194 Fake the Source of Data"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":7.8,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"HIGH","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-436","description":"CWE-436 Interpretation Conflict","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"455daabc-a392-441d-aa46-37d35189897c","shortName":"NCSC.ch","dateUpdated":"2026-03-04T08:47:05.758Z"},"references":[{"tags":["release-notes"],"url":"https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure"}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2025-10-31T14:22:00.000Z","value":"Vulnerability disclosed to SEPPmail"},{"lang":"en","time":"2026-01-06T00:00:00.000Z","value":"Version 15.0.1 released"}],"title":"Header Email Address Parsing","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-04T19:28:45.431055Z","id":"CVE-2026-27444","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-04T19:28:55.122Z"}}]}}