2 matches found
Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs
Summary The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with...
PT-2026-41966
Name of the Vulnerable Software and Affected Versions Mailpit affected versions not specified Description The dump --http sub-command allows an arbitrary file write via path traversal. When downloading messages from a remote server, the tool uses the message ID from the JSON response to construct...