CVE-2026-23845
published 2026-01-19CVE-2026-23845: Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.40%
31.4th percentile
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `` tags to inline them for testing. Version 1.28.3 fixes the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axllent | mailpit | < 1.28.3 | 1.28.3 |
| axllent | mailpit | < 1.29.2 | 1.29.2 |
| github.com | axllent_mailpit | >= 0 < 1.28.3 | 1.28.3 |
| github.com | axllent_mailpit | >= 0 < 1.29.2 | 1.29.2 |
| github.com | axllent_mailpit | >= 1.28.3 < 1.30.0 | 1.30.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer
ghsa·2026-05-19·CVSS 7.5
CVE-2026-45709 [HIGH] CWE-918 Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer
Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer
## Summary
The fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, "Server-Side Request Forgery (SSRF) via HTML Check API"), shipped in mailpit `v1.28.3`, hardened `internal/htmlcheck/css.go::downloadCSSToBytes` with a 5MB size cap, a `text/css` content-type check, login-info stripping in `isValidURL`, and an opt-in `--block-remote-css-and-fonts` config flag — but **did not add the IP-filtering dialer that the same codebase already uses on the two sister SSRF endpoints** (the proxy handler and link-check). At HEAD `8bc966e61834a24c48b4465da418f75e73be0afd` (2026-05-06), `internal/htmlcheck/css.go::newSafeHTTPClient` is mis-named — it builds an `http.Client` whose `Tra
GHSA
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
ghsa·2026-02-26·CVSS 5.3
CVE-2026-27808 [MEDIUM] CWE-918 Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
### Summary
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.
This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the
screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either
OSV
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
osv·2026-02-26·CVSS 5.3
CVE-2026-27808 [MEDIUM] Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
### Summary
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.
This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the
screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either
OSV
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API in github.com/axllent/mailpit
osv·2026-02-03
CVE-2026-23845 Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API in github.com/axllent/mailpit
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API in github.com/axllent/mailpit
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API in github.com/axllent/mailpit
GHSA
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API
ghsa·2026-01-21
CVE-2026-23845 [MEDIUM] CWE-918 Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API
### Server-Side Request Forgery (SSRF) via HTML Check CSS Download
The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `` tags to inline them for testing.
#### Affected Components
- **Primary File:** `internal/htmlcheck/css.go` (lines 132-207)
- **API Endpoint:** `/api/v1/message/{ID}/html-check`
- **Handler:** `server/apiv1/other.go` (lines 38-75)
- **Vulnerable Functions:**
- `inlineRemoteCSS()` - line 132
- `downloadToBytes()` - line 193
- `isURL()` - line 221
#### Technical Details
**1. Insufficient URL Validation (`isURL()` function):**
```go
// inte
OSV
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API
osv·2026-01-21
CVE-2026-23845 [MEDIUM] Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API
### Server-Side Request Forgery (SSRF) via HTML Check CSS Download
The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `` tags to inline them for testing.
#### Affected Components
- **Primary File:** `internal/htmlcheck/css.go` (lines 132-207)
- **API Endpoint:** `/api/v1/message/{ID}/html-check`
- **Handler:** `server/apiv1/other.go` (lines 38-75)
- **Vulnerable Functions:**
- `inlineRemoteCSS()` - line 132
- `downloadToBytes()` - line 193
- `isURL()` - line 221
#### Technical Details
**1. Insufficient URL Validation (`isURL()` function):**
```go
// inte
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-23845 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-23845 [MEDIUM] CVE-2026-23845 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23845 :
Homebrew vulnerability analysis and mitigation
/api/v1/message/{ID}/html-check
inlineRemoteCSS()
Source : NVD
## 7.5
Score
Published January 19, 2026
Severity HIGH
CNA Score 5.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mailpit
github.com/axllent/mailpit
Sources
NVD
GoLang Severity MEDIUM Has Fix Added at: Jan 21, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilitie
Wiz
CVE-2026-27808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-27808 [MEDIUM] CVE-2026-27808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27808 :
Homebrew vulnerability analysis and mitigation
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr)
2026-01-19
Published