Axllent Mailpit vulnerabilities
5 known vulnerabilities affecting axllent/mailpit.
Total CVEs
5
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
HIGH2MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-21859P2MEDIUMCVSS 5.3ExploitedPoCfixed in 1.28.1fixed in 1.29.22026-01-08
CVE-2026-21859 [MEDIUM] CWE-918 CVE-2026-21859: Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Sid
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attacke
nvd
CVE-2026-23829P3MEDIUMCVSS 5.3PoCfixed in 1.28.32026-01-19
CVE-2026-23829 [MEDIUM] CWE-93 CVE-2026-23829: Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP ser
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`
nvd
CVE-2026-27808P3HIGHCVSS 8.6fixed in 1.29.22026-02-26
CVE-2026-27808 [HIGH] CVE-2026-27808: Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status
nvd
CVE-2026-23845P3HIGHCVSS 7.5fixed in 1.28.32026-01-19
CVE-2026-23845 [HIGH] CWE-918 CVE-2026-23845: Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads
nvd
CVE-2026-22689P4MEDIUMCVSS 6.5fixed in 1.28.22026-01-10
CVE-2026-22689 [MEDIUM] CWE-1385 CVE-2026-22689: Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSoc
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer runnin
nvd