CVE-2026-24423: SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-24423

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API

Source: NVD (National Vulnerability Database)

Vulnerability Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

关键功能的认证机制缺失

Source: NVD (National Vulnerability Database)

Vulnerability Title

SmarterTools SmarterMail 访问控制错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

SmarterTools SmarterMail是SmarterTools公司的一套邮件服务器软件。该软件支持垃圾邮件过滤、数据统计、简单邮件传输协议SMTP验证等功能。 SmarterTools SmarterMail build 9511之前版本存在访问控制错误漏洞，该漏洞源于ConnectToHub API方法存在未经身份验证的远程代码执行，可能导致执行任意OS命令。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
SmarterTools	SmarterMail	0 ~ 100.0.9511	-

II. Public POCs for CVE-2026-24423

#	POC Description	Source Link	Shenlong Link
1	CVE-2026-24423 exp	https://github.com/aavamin/CVE-2026-24423	POC Details
2	SmarterTools SmarterMail < build 9511 contains an unauthenticated remote code execution caused by malicious OS command execution via ConnectToHub API method, letting remote attackers execute arbitrary commands, exploit requires no authentication.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-24423.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-24423

Please Login to view more intelligence information

https://www.smartertools.com/smartermail/release-notes/currentrelease-notespatch
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-apithird-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-24423

IV. Related Vulnerabilities

Same product: SmarterMail

Same vendor: SmarterTools

Same weakness: CWE-306

V. Comments for CVE-2026-24423

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2026-24423

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-24423

III. Intelligence Information for CVE-2026-24423

IV. Related Vulnerabilities

V. Comments for CVE-2026-24423

Leave a comment