cbcvebase.
CVE-2026-21859
published 2026-01-08

CVE-2026-21859: Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy…

PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.76%
50.5th percentile
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
axllentmailpit< 1.29.21.29.2
axllentmailpit< 1.28.11.28.1
axllentmailpit< 1.29.21.29.2
github.comaxllent_mailpit>= 0 < 1.28.11.28.1
github.comaxllent_mailpit>= 0 < 1.29.21.29.2

Detection & IOCsextracted from sources · hover to see the quote

url/proxy?url=http://127.0.0.1:8025/api/v1/info
path/proxy
othershodan:title:"Mailpit"
otherfofa:title="Mailpit"
  • Detect SSRF exploitation attempts targeting the /proxy endpoint with internal IP addresses in the 'url' query parameter (e.g., 127.0.0.1, RFC-1918 ranges).
  • Match HTTP GET requests to /proxy?url= containing loopback or internal addresses; a successful exploit response will contain JSON fields '"Version"', '"Database"', and '"RuntimeStats"' in the body with Content-Type application/json.
  • Exploitation is limited to HTTP GET requests; monitor for GET /proxy?url=http://<internal-IP>:<port>/ patterns in web server access logs.
  • Affected versions are Mailpit <= 1.28.0; presence of Mailpit instances can be identified via Shodan (title:"Mailpit") or FOFA (title="Mailpit") for exposure assessment.
  • ·The SSRF is constrained to HTTP GET requests only; POST or other methods are not exploitable via this vector.
  • ·The /proxy endpoint does validate http:// and https:// schemes, so non-HTTP schemes (e.g., file://, gopher://) are blocked; only internal IP address filtering is missing.
  • ·The vulnerability is fixed in version 1.28.1; the Nuclei template references 1.28.3 in its name but NVD and the advisory confirm the fix is in 1.28.1.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vulncheck5.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.