cbcvebase.

Github.Com Axllent Mailpit vulnerabilities

10 known vulnerabilities affecting github.com/axllent_mailpit.

Total CVEs
10
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
HIGH3MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2026-21859P2MEDIUMExploitedPoC≥ 0, < 1.28.12026-01-06
CVE-2026-21859 [MEDIUM] CWE-918 Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's `/proxy` endpoint that allows attackers to make requests to internal network resources. ## Description The `/proxy` endpoint allows requests to internal network resources. While it validates `http://` and `https://` schemes, it d
ghsaosv
CVE-2026-23829P3MEDIUMPoC≥ 0, < 1.28.32026-01-20
CVE-2026-23829 [MEDIUM] CWE-150 Mailpit has an SMTP Header Injection via Regex Bypass Mailpit has an SMTP Header Injection via Regex Bypass # Vulnerability Report: SMTP Header Injection via Regex Bypass **Vulnerable Code:** `mailpit/internal/smtpd/smtpd.go` ## Executive Summary Mailpit's SMTP server is vulnerable to **Header Injection** due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt exis
ghsaosv
CVE-2026-27808P3MEDIUMCVSS 5.3≥ 0, < 1.29.22026-02-26
CVE-2026-27808 [MEDIUM] CWE-918 Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API ### Summary The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status
ghsaosv
CVE-2026-23845P3MEDIUM≥ 0, < 1.28.32026-01-21
CVE-2026-23845 [MEDIUM] CWE-918 Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API ### Server-Side Request Forgery (SSRF) via HTML Check CSS Download The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `` tags to inline them for testing. #### Affec
ghsaosv
CVE-2026-22689P4MEDIUM≥ 1.2.6, < 1.28.2≥ 0, < 0.0.0-202601100316142026-01-13
CVE-2026-22689 [MEDIUM] CWE-1385 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails **Summary** The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when vi
ghsaosv
CVE-2026-55187HIGHCVSS 8.6≥ 0, < 1.30.22026-06-19
CVE-2026-55187 [HIGH] CWE-918 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms ## Summary The remediation shipped in mailpit v1.29.2 for [GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3) (CVE-2026-27808) is incomplete. The `tools.IsInternalIP` deny-list relies on Go's stdlib classification helpers (`IsLoopback`, `IsPrivate`, `I
ghsa
CVE-2026-45709HIGHCVSS 7.5≥ 1.28.3, < 1.30.02026-05-19
CVE-2026-45709 [HIGH] CWE-918 Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer ## Summary The fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, "Server-Side Request Forgery (SSRF) via HTML Check API"), shipped in mailpit `v1.28.3`, hardened `internal/htmlcheck/css.go::downloadCSSToBytes` with
ghsa
CVE-2026-45713HIGH≥ 0, < 1.30.02026-05-19
CVE-2026-45713 [HIGH] CWE-400 Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes ### Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value (0 ⇒ "no limit"). The same applies to the HTTP
ghsa
CVE-2026-45711MEDIUM≥ 0, < 1.30.02026-05-19
CVE-2026-45711 [MEDIUM] CWE-22 Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs ### Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server
ghsa
CVE-2026-45712MEDIUM≥ 0, < 1.30.02026-05-19
CVE-2026-45712 [MEDIUM] CWE-362 Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write) Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write) ### Summary The screenshot/print proxy (/proxy?data=…) maintains a package-level assets map[string]MessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine an
ghsa
Github.Com Axllent Mailpit vulnerabilities | cvebase