CVE-2026-24423 — Vulnetix

CVE-2026-24423 PUBLISHED KEV CVSS 9.300000190734863 CRITICAL

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

EPSS 83.40% · 99.3th percentile

Risk Scores

CVSS 4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

83.40%

99.3th percentile

Affected Products

Vendor	Product	Versions
SmarterTools	SmarterMail	0, 0
smartertools	smartermail	0, 0, 0

Exploit Intelligence

(crowdsec)
(crowdsec)
(crowdsec)
(crowdsec)
CIRCL exploited: CVE-2026-24423 (circl-sighting)
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail ConnectToHub Remote Code Execution (CVE-2026-24423) (emergingthreats)
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail ConnectToHub Remote Code Execution (CVE-2026-24423) (emergingthreats)
(crowdsec)
CIRCL seen: CVE-2026-24423 (circl-sighting)
CIRCL seen: CVE-2026-24423 (circl-sighting)

…and 163 more exploits

Timeline

Nov 8, 2022 CrowdSec Sighting
Dec 11, 2022 CrowdSec Sighting
Dec 18, 2022 CrowdSec Sighting
Mar 9, 2023 CrowdSec Sighting
Apr 5, 2023 CrowdSec Sighting
May 28, 2023 CrowdSec Sighting
Nov 23, 2023 CrowdSec Sighting
May 4, 2025 CrowdSec Sighting
Jun 10, 2025 CrowdSec Sighting
Jun 19, 2025 CrowdSec Sighting
Jul 31, 2025 CrowdSec Sighting
Nov 20, 2025 CrowdSec Sighting

References

Open in Interactive Console →