Moderate severityOSV Advisory· Published Jan 18, 2026· Updated Jan 20, 2026
Mailpit has SMTP Header Injection via Regex Bypass
CVE-2026-23829
Description
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (\r) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude \r and \n when used inside a character class. Version 1.28.3 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/axllent/mailpitGo | < 1.28.3 | 1.28.3 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/axllent/mailpitpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.28.3+ 1 more
- (no CPE)range: < 1.28.3
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-54wq-72mp-cq7cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23829ghsaADVISORY
- github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534ghsax_refsource_MISCWEB
- github.com/axllent/mailpit/releases/tag/v1.28.3ghsax_refsource_MISCWEB
- github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.