Lucene search
K

116 matches found

CVE
CVE
added 2026/01/18 11:23 p.m.21 views

CVE-2026-23829

CVE-2026-23829 — Mailpit SMTP header injection via regex bypass. Mailpit’s SMTP server (prior to v1.28.3) fails to properly filter control characters in RCPT TO/MAIL FROM addresses due to a regex with an incomplete character class, allowing CR/LF bypass and header injection. The flaw stems from G...

5.3CVSS5.8AI score0.01441EPSS
Exploits4References3Affected Software1
OSV
OSV
added 2026/01/18 11:23 p.m.3 views

CVE-2026-23829 Mailpit has SMTP Header Injection via Regex Bypass

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can inject arbitrary SMTP headers or corrupt existing...

5.3CVSS5.8AI score0.01441EPSS
Exploits4References5
Cvelist
Cvelist
added 2026/01/18 11:23 p.m.21 views

CVE-2026-23829 Mailpit has SMTP Header Injection via Regex Bypass

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can inject arbitrary SMTP headers or corrupt existing...

5.3CVSS0.01441EPSS
Exploits4References3
Positive Technologies
Positive Technologies
added 2026/01/18 12:0 a.m.7 views

PT-2026-3406

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28 Description Mailpit, an email testing tool and API for developers, has a header injection issue in its SMTP server. This is due to a flawed regular expression used to validate RCPT TO and MAIL FROM addresses,...

5.3CVSS5.5AI score0.01441EPSS
Exploits4References15
FreeBSD
FreeBSD
added 2026/01/18 12:0 a.m.6 views

mail/mailpit -- multiple vulnerabilities

Mailpit author reports: Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection GHSA-54wq-72mp-cq7c Prevent Server-Side Request Forgery SSRF via HTML Check API GHSA-6jxm-fv7w-rw5j...

7.5CVSS5.9AI score0.01441EPSS
Exploits5References2
SUSE CVE
SUSE CVE
added 2026/01/17 12:25 a.m.2 views

SUSE CVE-2026-21859

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery SSRF vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it do...

5.8CVSS6.8AI score0.00755EPSS
Exploits2References2
RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.7 views

CVE-2026-22689

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicio...

6.5CVSS6.7AI score0.00208EPSS
Exploits2References1
EUVD
EUVD
added 2026/01/13 3:11 p.m.7 views

EUVD-2026-1872

Mailpit is vulnerable to Cross-Site WebSocket Hijacking CSWSH allowing unauthenticated access to emails...

6.5CVSS6.3AI score0.00208EPSS
Exploits2References3
Github Security Blog
Github Security Blog
added 2026/01/13 3:11 p.m.10 views

Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

Summary The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally,...

6.5CVSS6.6AI score0.00208EPSS
Exploits2References4Affected Software1
OSV
OSV
added 2026/01/13 3:11 p.m.4 views

GHSA-524M-Q5M7-79MM Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

Summary The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally,...

6.5CVSS6.5AI score0.00208EPSS
Exploits2References4
OSV
OSV
added 2026/01/12 5:39 p.m.3 views

GO-2026-4284 Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability in github.com/axllent/mailpit

Mailpit Proxy Endpoint has Server-Side Request Forgery SSRF vulnerability in github.com/axllent/mailpit...

5.8CVSS7AI score0.00755EPSS
Exploits2References3
Tenable Nessus
Tenable Nessus
added 2026/01/11 12:0 a.m.5 views

FreeBSD : mail/mailpit -- Cross-Site WebSocket Hijacking (d822839e-ee4f-11f0-b53e-0897988a1c07)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the d822839e-ee4f-11f0-b53e-0897988a1c07 advisory. Mailpit author reports: The Mailpit WebSocket server is configured to accept connections from any origi...

6.5CVSS5.9AI score0.00208EPSS
Exploits2References3
Snyk
Snyk
added 2026/01/10 6:51 a.m.5 views

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the CheckOrigin function in the client.go file. An attacker can gain unauthorized access to sensitive email data by tricking a user into visiting a malicious website that establishes a WebSock...

7.1CVSS6.5AI score0.00208EPSS
Exploits2References2
NVD
NVD
added 2026/01/10 6:15 a.m.6 views

CVE-2026-22689

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicio...

6.5CVSS0.00208EPSS
Exploits2References2
Cvelist
Cvelist
added 2026/01/10 5:46 a.m.27 views

CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicio...

6.5CVSS0.00208EPSS
Exploits2References2
CVE
CVE
added 2026/01/10 5:46 a.m.17 views

CVE-2026-22689

Mailpit prior to v1.28.2 is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) because the WebSocket upgrader accepts connections from any origin (CheckOrigin always true). This enables a malicious site to create a WebSocket to ws://localhost:8025 and receive real-time data such as email conten...

6.5CVSS6.3AI score0.00208EPSS
Exploits2References2Affected Software1
OSV
OSV
added 2026/01/10 5:46 a.m.7 views

CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicio...

6.5CVSS6.4AI score0.00208EPSS
Exploits2References4
CNNVD
CNNVD
added 2026/01/10 12:0 a.m.5 views

Mailpit 安全漏洞

Mailpit is an email testing tool from the individual developer Ralph Slooten. A security vulnerability exists in Mailpit versions prior to 1.28.2, which stems from a lack of Origin header validation in the WebSocket server and could lead to cross-site WebSocket hijacking and data leakage...

6.5CVSS6.2AI score0.00208EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.4 views

PT-2026-2243

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28.2 Description Mailpit, an email testing tool and API for developers, contains a Cross-Site WebSocket Hijacking CSWSH issue in its WebSocket server. The server, in versions prior to 1.28.2, does not validate the...

6.5CVSS6.5AI score0.00208EPSS
Exploits2References13
RedhatCVE
RedhatCVE
added 2026/01/09 9:10 a.m.3 views

CVE-2026-21859

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery SSRF vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it do...

5.8CVSS6.8AI score0.00755EPSS
Exploits2References1
Rows per page
Query Builder