Server-Side Request Forgery in Mailpit Email Testing Tool
CVE-2026-21859

5.8MEDIUM

Key Information:

Vendor: Axllent
Status: Mailpit
Vendor: CVE Published:; 7 January 2026

What is CVE-2026-21859?

Mailpit, a popular email testing tool used by developers, has a vulnerability in its /proxy endpoint that allows attackers to exploit Server-Side Request Forgery (SSRF). This flaw exists in versions up to 1.28.0, where the endpoint fails to block internal IP addresses after validating http:// and https:// schemes. Consequently, attackers can gain unauthorized access to internal services and APIs via HTTP GET requests with minimal headers. The vulnerability has been resolved in version 1.28.1, and users are advised to update promptly to safeguard their networks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mailpit < 1.28.1

References

https://github.com/axllent/mailpit/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/axllent/mailpit/commit/3b9b470c093b3d2...

x_refsource_MISC

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Jan 5, 2026

JSON

Axllent

What is CVE-2026-21859?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.