CVE-2026-23845

Medium CVSS: 5.8

Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.

Vendor

Axllent

Product

Mailpit

CWE

CWE-918

Yayın Tarihi

2026-01-19 19:16:04

Güncelleme

2026-02-05 18:35:31

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Mailpit MEDIUM Axllent 2026

Referanslar

https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe https://github.com/axllent/mailpit/releases/tag/v1.28.3 https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j

Benzer Kayıtlar

Medium

CVE-2026-27808

Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{I…

Medium

CVE-2026-23829

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to…

Medium

CVE-2026-22689

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is config…

Medium

CVE-2026-21859

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (S…