Lucene search
K

122 matches found

Nuclei
Nuclei
added yesterday65 views

Mailpit < 1.28.3 - Server-Side Request Forgery

Mailpit = 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests. id: CVE-2026-21859 info: name: Mailpit 1.28.3 -...

5.8CVSS6.2AI score0.00755EPSS
Exploits2References2
CVE
CVE
added 4 days ago18 views

CVE-2026-55187

Mailpit contains an SSRF protection gap in Link Check API prior to v1.30.2. The internal IsInternalIP deny-list only blocks common IPv4 private/local addresses and CGNAT, and does not recognize several IPv6 forms that embed IPv4 destinations or IPv6 prefixes outside standard private ranges. Bypas...

5.8CVSS6.1AI score0.00282EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-55187 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms (follow-up to CVE-2026-27808)

Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go's standard library classification helpers and does not block IPv6 transition mechanisms...

5.8CVSS0.00282EPSS
Exploits0References3
Circl
Circl
added 2026/07/01 10:35 p.m.7 views

CVE-2026-48824

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:13+00:00| published-proof-of-concept| https://github.com/axllent/mailpit/security/advisories/GHSA-28pq-6qxg-wg5r...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/07/01 8:56 p.m.2 views

GHSA-28PQ-6QXG-WG5R Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)

Summary The fix for GHSA-fpxj-m5q8-fphw CVE-2026-45710, "Mailpit: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes" wrapped only POST /api/v1/send with http.MaxBytesReader. The four other Mailpit JSON-body API endpoints PUT /api/v1/messages...

5.3CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.13 views

PT-2026-55207

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.30.1 Description An unauthenticated remote attacker can cause a memory-exhaustion Denial of Service DoS by sending large JSON bodies to specific API endpoints. This occurs because the software fails to limit the...

5.3CVSS6AI score
Exploits0References4
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.9 views

CVE-2026-46601 vulnerabilities

Vulnerabilities for packages: seaweedfs-operator-fips, mailpit-fips, gitea, rclone, seaweedfs-rocksdb, seaweedfs-operator, ollama, bento-fips, kubescape-server, seaweedfs-fips, gitea-fips, kubescape-server-fips, gitlab-workhorse-ce, bento, mattermost-fips, rclone-fips, kubescape, mailpit,...

7.5CVSS6.1AI score0.00339EPSS
Exploits0
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.8 views

GHSA-M43H-MP45-GHQ6 vulnerabilities

Vulnerabilities for packages: seaweedfs-operator-fips, mailpit-fips, gitea, rclone, seaweedfs-rocksdb, seaweedfs-operator, ollama, bento-fips, kubescape-server, seaweedfs-fips, gitea-fips, kubescape-server-fips, gitlab-workhorse-ce, bento, mattermost-fips, rclone-fips, kubescape, mailpit,...

6.1AI score
Exploits0
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.8 views

CVE-2026-46602 vulnerabilities

Vulnerabilities for packages: mattermost-fips, rclone-fips, seaweedfs, seaweedfs-operator-fips, hugo-extended, mailpit, mailpit-fips, seaweedfs-fips, mattermost, seaweedfs-rocksdb-fips, rclone, filebrowser, seaweedfs-rocksdb, hugo-fips, listmonk, seaweedfs-operator, gitlab-workhorse-ce, hugo...

7.5CVSS6.1AI score0.00339EPSS
Exploits0
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.10 views

GHSA-PWFV-328H-75X9 vulnerabilities

Vulnerabilities for packages: mattermost-fips, rclone-fips, seaweedfs, seaweedfs-operator-fips, hugo-extended, mailpit, mailpit-fips, seaweedfs-fips, mattermost, seaweedfs-rocksdb-fips, rclone, filebrowser, seaweedfs-rocksdb, hugo-fips, listmonk, seaweedfs-operator, gitlab-workhorse-ce, hugo...

6.1AI score
Exploits0
OSV
OSV
added 2026/06/25 10:34 p.m.4 views

GO-2026-5688 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms in github.com/axllent/mailpit

Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms in github.com/axllent/mailpit...

5.8CVSS5.8AI score0.00282EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/17 12:0 a.m.11 views

FreeBSD : mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms (44afeb08-6a18-11f1-9647-10ffe07f9334)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 44afeb08-6a18-11f1-9647-10ffe07f9334 advisory. Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers...

5.8CVSS5.5AI score0.00282EPSS
Exploits0References3
FreeBSD
FreeBSD
added 2026/06/17 12:0 a.m.10 views

mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms

Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast plus an inline CGNAT range, but those helpers do not match two classes of IPv6 address that should be...

5.8CVSS5.3AI score0.00282EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/29 12:0 a.m.10 views

FreeBSD : mail/mailpit -- memory-exhaustion DoS via unbounded JSON body (7ae38fde-5ab6-11f1-a242-10ffe07f9334)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 7ae38fde-5ab6-11f1-a242-10ffe07f9334 advisory. Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on...

5.8AI score
Exploits0References3
OSV
OSV
added 2026/05/19 3:54 p.m.6 views

GHSA-FPXJ-M5Q8-FPHW Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...

7.5CVSS5.8AI score0.00099EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/19 3:54 p.m.11 views

Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...

5.8AI score0.00099EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 3:53 p.m.11 views

Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

5.9AI score0.00091EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/19 3:53 p.m.7 views

GHSA-W4VJ-R5PG-3722 Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

5.9CVSS5.9AI score0.00091EPSS
Exploits0References3
OSV
OSV
added 2026/05/19 3:53 p.m.30 views

GHSA-QX5X-85P8-VG4J Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with...

5.9CVSS6.3AI score0.00032EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/19 3:53 p.m.17 views

Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with...

6.3AI score0.00032EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder