CVE-2026-24423

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail	Third Party Advisory
https://www.smartertools.com/smartermail/release-notes/current	Release Notes
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api	Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*

History

06 Feb 2026, 16:45

Type	Values Removed	Values Added
CPE		cpe:2.3:a:smartertools:smartermail::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Smartertools Smartertools smartermail
References	~~() https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail -~~	() https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail - Third Party Advisory
References	~~() https://www.smartertools.com/smartermail/release-notes/current -~~	() https://www.smartertools.com/smartermail/release-notes/current - Release Notes
References	~~() https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api -~~	() https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api - Third Party Advisory
References	~~() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423 -~~	() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423 - US Government Resource

05 Feb 2026, 21:15

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423 -

23 Jan 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-23 17:16

Updated : 2026-02-06 16:45

NVD link : CVE-2026-24423

Mitre link : CVE-2026-24423

CVE.ORG link : CVE-2026-24423

JSON object : View

Products Affected

smartertools

smartermail

CWE

CWE-306

Missing Authentication for Critical Function

9.8 /10