CVE-2026-23829
published 2026-01-19CVE-2026-23829: Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an…
PriorityP342medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
1.44%
69.9th percentile
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axllent | mailpit | < 1.28.3 | 1.28.3 |
| github.com | axllent_mailpit | >= 0 < 1.28.3 | 1.28.3 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mailpit has an SMTP Header Injection via Regex Bypass in github.com/axllent/mailpit
osv·2026-02-03
CVE-2026-23829 Mailpit has an SMTP Header Injection via Regex Bypass in github.com/axllent/mailpit
Mailpit has an SMTP Header Injection via Regex Bypass in github.com/axllent/mailpit
Mailpit has an SMTP Header Injection via Regex Bypass in github.com/axllent/mailpit
GHSA
Mailpit has an SMTP Header Injection via Regex Bypass
ghsa·2026-01-20
CVE-2026-23829 [MEDIUM] CWE-150 Mailpit has an SMTP Header Injection via Regex Bypass
Mailpit has an SMTP Header Injection via Regex Bypass
# Vulnerability Report: SMTP Header Injection via Regex Bypass
**Vulnerable Code:** `mailpit/internal/smtpd/smtpd.go`
## Executive Summary
Mailpit's SMTP server is vulnerable to **Header Injection** due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class.
## RFC Compliance & Design Analysis
**"Is this behavior intentional for a testing tool?"**
No. While testing tools are often permissive, this specific be
OSV
Mailpit has an SMTP Header Injection via Regex Bypass
osv·2026-01-20
CVE-2026-23829 [MEDIUM] Mailpit has an SMTP Header Injection via Regex Bypass
Mailpit has an SMTP Header Injection via Regex Bypass
# Vulnerability Report: SMTP Header Injection via Regex Bypass
**Vulnerable Code:** `mailpit/internal/smtpd/smtpd.go`
## Executive Summary
Mailpit's SMTP server is vulnerable to **Header Injection** due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class.
## RFC Compliance & Design Analysis
**"Is this behavior intentional for a testing tool?"**
No. While testing tools are often permissive, this specific be
No detection rules found.
Nuclei
Mailpit < 1.28.2 - SMTP CRLF Injection
nuclei·CVSS 5.3
CVE-2026-23829 [MEDIUM] Mailpit < 1.28.2 - SMTP CRLF Injection
Mailpit \r\n"
- data: "RCPT TO:\r\n"
- data: "DATA\r\n"
- data: "Subject: Test \r\n\r\nCombined Template Check.\r\n.\r\n"
- data: "QUIT\r\n"
host:
- "{{Hostname}}"
port: 1025
read-size: 2048
matchers-condition: and
matchers:
- type: word
words:
- "250"
- type: word
words:
- "501"
- "500"
- "553"
negative: true
# digest: 4a0a00473045022100cde26e4a994f0700730e9a3c36f69a1ca1d5d7d74152764c1ec6d4a2f8a0916802202dfdf91a24986107ab18c6ff15f0c4d985f95d2877e617595978b8635424c0e7:922c64590222798bb761d5b6d8e72950
2026-01-19
Published