123 matches found
Mailpit < 1.28.3 - Server-Side Request Forgery
Mailpit = 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests. id: CVE-2026-21859 info: name: Mailpit 1.28.3 -...
CVE-2026-55187
Mailpit contains an SSRF protection gap in Link Check API prior to v1.30.2. The internal IsInternalIP deny-list only blocks common IPv4 private/local addresses and CGNAT, and does not recognize several IPv6 forms that embed IPv4 destinations or IPv6 prefixes outside standard private ranges. Bypas...
CVE-2026-55187 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms (follow-up to CVE-2026-27808)
Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go's standard library classification helpers and does not block IPv6 transition mechanisms...
CVE-2026-55187 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms (follow-up to CVE-2026-27808)
Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go's standard library classification helpers and does not block IPv6 transition mechanisms...
CVE-2026-48824
creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:13+00:00| published-proof-of-concept| https://github.com/axllent/mailpit/security/advisories/GHSA-28pq-6qxg-wg5r...
GHSA-28PQ-6QXG-WG5R Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)
Summary The fix for GHSA-fpxj-m5q8-fphw CVE-2026-45710, "Mailpit: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes" wrapped only POST /api/v1/send with http.MaxBytesReader. The four other Mailpit JSON-body API endpoints PUT /api/v1/messages...
PT-2026-55207
Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.30.1 Description An unauthenticated remote attacker can cause a memory-exhaustion Denial of Service DoS by sending large JSON bodies to specific API endpoints. This occurs because the software fails to limit the...
GHSA-M43H-MP45-GHQ6 vulnerabilities
Vulnerabilities for packages: gitea, ollama-fips, rclone, seaweedfs, seaweedfs-operator-fips, gitlab-workhorse-ce, seaweedfs-operator, kubescape-server, ollama, kubescape-server-fips, mailpit, gitea-fips, kubescape, mattermost, bento-fips, mailpit-fips, rclone-fips, seaweedfs-rocksdb,...
CVE-2026-46601 vulnerabilities
Vulnerabilities for packages: gitea, ollama-fips, rclone, seaweedfs, seaweedfs-operator-fips, gitlab-workhorse-ce, seaweedfs-operator, kubescape-server, ollama, kubescape-server-fips, mailpit, gitea-fips, kubescape, mattermost, bento-fips, mailpit-fips, rclone-fips, seaweedfs-rocksdb,...
GHSA-PWFV-328H-75X9 vulnerabilities
Vulnerabilities for packages: hugo-extended, hugo-fips, listmonk, seaweedfs-rocksdb, seaweedfs-rocksdb-fips, mailpit, mattermost-fips, rclone, seaweedfs, seaweedfs-fips, gitlab-workhorse-ce, hugo, rclone-fips, filebrowser, seaweedfs-operator, mattermost, seaweedfs-operator-fips, mailpit-fips...
CVE-2026-46602 vulnerabilities
Vulnerabilities for packages: hugo-extended, hugo-fips, listmonk, seaweedfs-rocksdb, seaweedfs-rocksdb-fips, mailpit, mattermost-fips, rclone, seaweedfs, seaweedfs-fips, gitlab-workhorse-ce, hugo, rclone-fips, filebrowser, seaweedfs-operator, mattermost, seaweedfs-operator-fips, mailpit-fips...
GO-2026-5688 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms in github.com/axllent/mailpit
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms in github.com/axllent/mailpit...
mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms
Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast plus an inline CGNAT range, but those helpers do not match two classes of IPv6 address that should be...
FreeBSD : mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms (44afeb08-6a18-11f1-9647-10ffe07f9334)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 44afeb08-6a18-11f1-9647-10ffe07f9334 advisory. Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers...
FreeBSD : mail/mailpit -- memory-exhaustion DoS via unbounded JSON body (7ae38fde-5ab6-11f1-a242-10ffe07f9334)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 7ae38fde-5ab6-11f1-a242-10ffe07f9334 advisory. Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on...
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes
Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...
GHSA-FPXJ-M5Q8-FPHW Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes
Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...
Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)
Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...
GHSA-W4VJ-R5PG-3722 Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)
Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...
Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs
Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with...