Server-Side Request Forgery Vulnerability in Mailpit Email Testing Tool
CVE-2026-23845

5.8MEDIUM

Key Information:

Vendor

Axllent

Status
Mailpit
Vendor
CVE Published:
19 January 2026

What is CVE-2026-23845?

Mailpit, an email testing tool and API predominantly used by developers, suffers from a Server-Side Request Forgery (SSRF) vulnerability. This issue arises from the HTML Check feature, where the function inlineRemoteCSS() improperly fetches CSS files from external <link rel="stylesheet" href="..."> tags during the HTML email analysis. This behavior can be exploited to make unauthorized requests to internal or external services. The vulnerability affects all versions of Mailpit before 1.28.3, and it has been addressed in this release. Users are strongly encouraged to update their installations to mitigate potential security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mailpit < 1.28.3

References

https://github.com/axllent/mailpit/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/axllent/mailpit/commit/1679a0aba592ebc...
x_refsource_MISC
https://github.com/axllent/mailpit/releases/tag/v1.28.3
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.