Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities by axllent
CVE-2026-27808 (GCVE-0-2026-27808)
Vulnerability from nvd – Published: 2026-02-25 23:51 – Updated: 2026-02-26 15:47
VLAI
Title
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
Severity
5.8 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/10ad4df… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.29.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T15:47:50.457289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:47:56.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T23:51:20.365Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3"
},
{
"name": "https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.29.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.29.2"
}
],
"source": {
"advisory": "GHSA-mpf7-p9x7-96r3",
"discovery": "UNKNOWN"
},
"title": "Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27808",
"datePublished": "2026-02-25T23:51:20.365Z",
"dateReserved": "2026-02-24T02:31:33.267Z",
"dateUpdated": "2026-02-26T15:47:56.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23845 (GCVE-0-2026-23845)
Vulnerability from nvd – Published: 2026-01-19 19:01 – Updated: 2026-01-20 20:05
VLAI
Title
Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API
Summary
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/1679a0a… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.28.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:04:04.082622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:05:35.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `\u003clink rel=\"stylesheet\" href=\"...\"\u003e` tags to inline them for testing. Version 1.28.3 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T19:01:38.163Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j"
},
{
"name": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.28.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"
}
],
"source": {
"advisory": "GHSA-6jxm-fv7w-rw5j",
"discovery": "UNKNOWN"
},
"title": "Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23845",
"datePublished": "2026-01-19T19:01:38.163Z",
"dateReserved": "2026-01-16T15:46:40.842Z",
"dateUpdated": "2026-01-20T20:05:35.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23829 (GCVE-0-2026-23829)
Vulnerability from nvd – Published: 2026-01-18 23:23 – Updated: 2026-01-20 20:08
VLAI
Title
Mailpit has SMTP Header Injection via Regex Bypass
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/36cc06c… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.28.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23829",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:08:32.596156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:08:41.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit\u0027s SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\\r` and `\\n` when used inside a character class. Version 1.28.3 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T18:59:54.087Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c"
},
{
"name": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.28.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"
}
],
"source": {
"advisory": "GHSA-54wq-72mp-cq7c",
"discovery": "UNKNOWN"
},
"title": "Mailpit has SMTP Header Injection via Regex Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23829",
"datePublished": "2026-01-18T23:23:04.176Z",
"dateReserved": "2026-01-16T15:46:40.841Z",
"dateUpdated": "2026-01-20T20:08:41.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22689 (GCVE-0-2026-22689)
Vulnerability from nvd – Published: 2026-01-10 05:46 – Updated: 2026-01-12 16:47
VLAI
Title
Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/6f1f4f3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T16:47:26.726768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T16:47:34.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim\u0027s Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T05:46:13.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm"
},
{
"name": "https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f"
}
],
"source": {
"advisory": "GHSA-524m-q5m7-79mm",
"discovery": "UNKNOWN"
},
"title": "Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22689",
"datePublished": "2026-01-10T05:46:13.771Z",
"dateReserved": "2026-01-08T19:23:09.854Z",
"dateUpdated": "2026-01-12T16:47:34.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21859 (GCVE-0-2026-21859)
Vulnerability from nvd – Published: 2026-01-07 23:24 – Updated: 2026-01-08 19:23
VLAI
Title
Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)
Summary
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Severity
5.8 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/3b9b470… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21859",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T19:23:19.174824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T19:23:22.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T23:24:07.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr"
},
{
"name": "https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d"
}
],
"source": {
"advisory": "GHSA-8v65-47jx-7mfr",
"discovery": "UNKNOWN"
},
"title": "Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21859",
"datePublished": "2026-01-07T23:24:07.869Z",
"dateReserved": "2026-01-05T16:44:16.367Z",
"dateUpdated": "2026-01-08T19:23:22.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27808 (GCVE-0-2026-27808)
Vulnerability from cvelistv5 – Published: 2026-02-25 23:51 – Updated: 2026-02-26 15:47
VLAI
Title
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
Severity
5.8 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/10ad4df… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.29.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T15:47:50.457289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:47:56.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T23:51:20.365Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3"
},
{
"name": "https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.29.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.29.2"
}
],
"source": {
"advisory": "GHSA-mpf7-p9x7-96r3",
"discovery": "UNKNOWN"
},
"title": "Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27808",
"datePublished": "2026-02-25T23:51:20.365Z",
"dateReserved": "2026-02-24T02:31:33.267Z",
"dateUpdated": "2026-02-26T15:47:56.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23845 (GCVE-0-2026-23845)
Vulnerability from cvelistv5 – Published: 2026-01-19 19:01 – Updated: 2026-01-20 20:05
VLAI
Title
Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API
Summary
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/1679a0a… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.28.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:04:04.082622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:05:35.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `\u003clink rel=\"stylesheet\" href=\"...\"\u003e` tags to inline them for testing. Version 1.28.3 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T19:01:38.163Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j"
},
{
"name": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.28.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"
}
],
"source": {
"advisory": "GHSA-6jxm-fv7w-rw5j",
"discovery": "UNKNOWN"
},
"title": "Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23845",
"datePublished": "2026-01-19T19:01:38.163Z",
"dateReserved": "2026-01-16T15:46:40.842Z",
"dateUpdated": "2026-01-20T20:05:35.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23829 (GCVE-0-2026-23829)
Vulnerability from cvelistv5 – Published: 2026-01-18 23:23 – Updated: 2026-01-20 20:08
VLAI
Title
Mailpit has SMTP Header Injection via Regex Bypass
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/36cc06c… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.28.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23829",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:08:32.596156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:08:41.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit\u0027s SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\\r` and `\\n` when used inside a character class. Version 1.28.3 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T18:59:54.087Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c"
},
{
"name": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.28.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"
}
],
"source": {
"advisory": "GHSA-54wq-72mp-cq7c",
"discovery": "UNKNOWN"
},
"title": "Mailpit has SMTP Header Injection via Regex Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23829",
"datePublished": "2026-01-18T23:23:04.176Z",
"dateReserved": "2026-01-16T15:46:40.841Z",
"dateUpdated": "2026-01-20T20:08:41.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22689 (GCVE-0-2026-22689)
Vulnerability from cvelistv5 – Published: 2026-01-10 05:46 – Updated: 2026-01-12 16:47
VLAI
Title
Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/6f1f4f3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T16:47:26.726768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T16:47:34.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim\u0027s Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T05:46:13.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm"
},
{
"name": "https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f"
}
],
"source": {
"advisory": "GHSA-524m-q5m7-79mm",
"discovery": "UNKNOWN"
},
"title": "Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22689",
"datePublished": "2026-01-10T05:46:13.771Z",
"dateReserved": "2026-01-08T19:23:09.854Z",
"dateUpdated": "2026-01-12T16:47:34.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21859 (GCVE-0-2026-21859)
Vulnerability from cvelistv5 – Published: 2026-01-07 23:24 – Updated: 2026-01-08 19:23
VLAI
Title
Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)
Summary
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Severity
5.8 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/3b9b470… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21859",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T19:23:19.174824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T19:23:22.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T23:24:07.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr"
},
{
"name": "https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d"
}
],
"source": {
"advisory": "GHSA-8v65-47jx-7mfr",
"discovery": "UNKNOWN"
},
"title": "Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21859",
"datePublished": "2026-01-07T23:24:07.869Z",
"dateReserved": "2026-01-05T16:44:16.367Z",
"dateUpdated": "2026-01-08T19:23:22.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}