CVE-2026-24423NVD

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

Severity Level

CRITICAL (9.3)

Published Date

23/01/2026

Last Modified

06/02/2026

Exploitation Status

????

References

https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
https://www.smartertools.com/smartermail/release-notes/current
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423