Mailpit < 1.28.3 - Server-Side Request Forgery

Mailpit = 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests. id: CVE-2026-21859 info: name: Mailpit 1.28.3 -...

FreeBSD : mail/mailpit -- memory-exhaustion DoS via unbounded JSON body (7ae38fde-5ab6-11f1-a242-10ffe07f9334)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 7ae38fde-5ab6-11f1-a242-10ffe07f9334 advisory. Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on...

GHSA-FPXJ-M5Q8-FPHW Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...

Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...

Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

GHSA-W4VJ-R5PG-3722 Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with...

GHSA-QX5X-85P8-VG4J Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with...

GHSA-J3FJ-QPPJ-FMMC Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer

Summary The fix for GHSA-6jxm-fv7w-rw5j CVE-2026-23845, "Server-Side Request Forgery SSRF via HTML Check API", shipped in mailpit v1.28.3, hardened internal/htmlcheck/css.go::downloadCSSToBytes with a 5MB size cap, a text/css content-type check, login-info stripping in isValidURL, and an opt-in...

PT-2026-41968

Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...

PT-2026-41966

Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with...

PT-2026-41967

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

PT-2026-41965

Summary The fix for GHSA-6jxm-fv7w-rw5j CVE-2026-23845, "Server-Side Request Forgery SSRF via HTML Check API", shipped in mailpit v1.28.3, hardened internal/htmlcheck/css.go::downloadCSSToBytes with a 5MB size cap, a text/css content-type check, login-info stripping in isValidURL, and an opt-in...

CLEANSTART-2026-CF88804 Security fixes for CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499 applied in versions: 1.29.7-r0

Multiple security vulnerabilities affect the mailpit package. These issues are resolved in later releases. See references for individual vulnerability details...

FreeBSD : mail/mailpit -- multiple vulnerabilities (6e701ad2-4f61-11f1-af6d-10ffe07f9334)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 6e701ad2-4f61-11f1-af6d-10ffe07f9334 advisory. Mailpit author reports: Set a default 50MB per message limit to prevent DoS via unlimited SMTP...

CVE-2026-45711

creationtimestamp| type| source ---|---|--- 2026-05-14 04:53:32+00:00| published-proof-of-concept| https://github.com/axllent/mailpit/security/advisories/GHSA-qx5x-85p8-vg4j...

CVE-2026-45713

creationtimestamp| type| source ---|---|--- 2026-05-14 04:53:02+00:00| published-proof-of-concept| https://github.com/axllent/mailpit/security/advisories/GHSA-fpxj-m5q8-fphw...

mail/mailpit -- multiple vulnerabilities

Mailpit author reports: Set a default 50MB per message limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes GHSA-fpxj-m5q8-fphw Include CGNAT Carrier-Grade NAT in internal IP checks GHSA-j3fj-qppj-fmmc Block internal IP access by default in HTML check GHSA-j3fj-qppj-fmmc Fix f...

CVE-2026-32288 vulnerabilities

Vulnerabilities for packages: docker-compose-fips, omni-fips, gitlab-operator, harbor-fips, mailpit, tkn-fips, gitlab-workhorse-ce, prometheus-operator, gitlab-rails-ce-fips, mattermost-fips, vendir, knative-serving, k8ssandra-client, cert-manager, chezmoi, envconsul-fips, gitlab-kas, scorecard,...

GHSA-X4JJ-H2V8-HQQV vulnerabilities

Vulnerabilities for packages: docker-compose-fips, omni-fips, gitlab-operator, harbor-fips, mailpit, tkn-fips, gitlab-workhorse-ce, prometheus-operator, gitlab-rails-ce-fips, mattermost-fips, vendir, knative-serving, k8ssandra-client, cert-manager, chezmoi, envconsul-fips, gitlab-kas, scorecard,...