PULSE
LIVE44signals / 24h
FEED
ransomnova reclama a Phi · Not Foundransomnova reclama a Digipro · Technologyransomnova reclama a Integrated Marketing Services · Business Servicesransomkrybit reclama a eitzchaim.com · IL · Not Foundransomkrybit reclama a formasuniversales.com · MX · Business Servicesransomkrybit reclama a rehabmalaysia.com · MY · Healthcareransomkrybit reclama a www.lagus.cz · CZ · Business Servicesransomgunra reclama a Dissinger and Dissinger Law Firm · US · Business Servicesransomplay reclama a Boston Electric and Telephone · US · Telecommunicationransomplay reclama a Wring Group · GB · Not Foundransomincransom reclama a asa-international.com · GB · Business Servicesransomplay reclama a AG Scholtes · NL · Manufacturingransomplay reclama a Andorra Life · AD · Healthcareransomplay reclama a Svensk Direktreklam · SE · Business Servicesransomnova reclama a Phi · Not Foundransomnova reclama a Digipro · Technologyransomnova reclama a Integrated Marketing Services · Business Servicesransomkrybit reclama a eitzchaim.com · IL · Not Foundransomkrybit reclama a formasuniversales.com · MX · Business Servicesransomkrybit reclama a rehabmalaysia.com · MY · Healthcareransomkrybit reclama a www.lagus.cz · CZ · Business Servicesransomgunra reclama a Dissinger and Dissinger Law Firm · US · Business Servicesransomplay reclama a Boston Electric and Telephone · US · Telecommunicationransomplay reclama a Wring Group · GB · Not Foundransomincransom reclama a asa-international.com · GB · Business Servicesransomplay reclama a AG Scholtes · NL · Manufacturingransomplay reclama a Andorra Life · AD · Healthcareransomplay reclama a Svensk Direktreklam · SE · Business Services
← All CVEs
CVE Watch

CVE-2026-23760

SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability

CVSS

No CVSS

EPSS

96.3%

p100

KEV

YES

Jan 26, 2026

Exploit Today

80

0-100

Published: · Last modified:

EPSS · 30d
96.3%EPSS · 30 days96.3%
2026-06-302026-07-16
KEV catalog record

Product

SmarterTools / SmarterMail

Vulnerability

SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability

Added to KEV

Jan 26, 2026

Remediate by

Feb 16, 2026

Known ransomware use

Yes

Summary description

SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes

https://www.smartertools.com/smartermail/release-notes/current ; https://nvd.nist.gov/vuln/detail/CVE-2026-23760

Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-24423
99.7%
KEV80SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
CVE-2025-52691
99.7%
KEV80SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability