CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: CVSS 9.3 unauthenticated RCE and five additional CVEs [SINGLE-SOURCE-NATIONAL-CERT carve-out + vendor]

NCSC-CH published advisory post 12551 on 2026-05-08 covering six CVEs in SEPPmail Secure Email Gateway patched in version 15.0.4 (patch 15.0.4.1). SEPPmail is a Swiss company (Steinach SG) whose gateway handles S/MIME, PGP, and TLS email encryption for Swiss federal agencies, cantonal administrations, healthcare providers, and DACH-region enterprises. See § 6 for the full technical breakdown. Vulnerability summary: CVE-2026-44128 (CVSS 9.3 CRITICAL) — unauthenticated RCE via test/development HTTP endpoints left active in the GINAv2 component; CVE-2026-44125 (CVSS 9.3 CRITICAL) — missing authorisation in GINAv2 enabling unauthenticated administrative access and file manipulation; CVE-2026-44126 (CVSS 9.2 CRITICAL) — insecure deserialisation enabling full gateway takeover; CVE-2026-44127 (CVSS 8.8 HIGH) — local file inclusion and arbitrary file deletion; CVE-2026-44129 (CVSS 8.3 HIGH) — server-side template injection; CVE-2026-7864 (CVSS 6.9 MEDIUM). No exploitation has been confirmed; all critical paths are pre-authentication (NCSC-CH advisory 12551, 2026-05-08 · SEPPmail release notes v15.0).