An issue exists in SuperWebMailer 9.00.0.01710. It allows spamtest_external.php XSS via a crafted filename.
superwebmailer superwebmailer 9.00.0.01710