SEPPmail CVE-2026-44128 — CIRCL advisory confirms CVSS 9.3 unauthenticated Perl-eval RCE; no third-party PoC in window

W19's long-running concern about the single-source-national-CERT status of CVE-2026-44128 is materially improved this week by the CIRCL (Computer Incident Response Center Luxembourg) advisory at vulnerability.circl.lu confirming CVSS v4.0 9.3, CWE-95 eval injection in the GINA UI endpoint of SEPPmail Secure Email Gateway < 15.0.2.1, with patch path to ≥ 15.0.2.1 (CIRCL vulnerability.circl.lu). The CIRCL advisory is also an EU national-CERT primary — the verification status moves from SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH only) to SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH + CIRCL — two separate national CERTs corroborating). Still no independent third-party PoC / root-cause analysis in window. For Swiss on-premises SEPPmail estates (cantonal administration and healthcare are the predominant deployments), patch validation against 15.0.2.1 remains a high-priority item.