Moderate severityOSV Advisory· Published Jan 19, 2026· Updated Jan 20, 2026
Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API
CVE-2026-23845
Description
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (/api/v1/message/{ID}/html-check) is designed to analyze HTML emails for compatibility. During this process, the inlineRemoteCSS() function automatically downloads CSS files from external `` tags to inline them for testing. Version 1.28.3 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/axllent/mailpitGo | < 1.28.3 | 1.28.3 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/axllent/mailpitpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.28.3+ 1 more
- (no CPE)range: < 1.28.3
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6jxm-fv7w-rw5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23845ghsaADVISORY
- github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfeghsax_refsource_MISCWEB
- github.com/axllent/mailpit/releases/tag/v1.28.3ghsax_refsource_MISCWEB
- github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.