Loading
Generated remediation guidance and an executive summary. No account required.
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Use CWE-288, Smartertools vendor hub and Smartermail product page to widen CVE-2026-23760 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2025-52691, CVE-2026-24423 and CVE-2021-32234 for nearby disclosures in the same product family.