Critical severity9.8NVD Advisory· Published Apr 28, 2026· Updated Apr 29, 2026

CVE-2026-41873

Description

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover.

This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet.

As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected products

Apache/Pony Mail
cpe:2.3:a:apache:pony_mail:*:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apache.org/thread/1c7jtxjobh280kqc13fzw1cg57xrz951nvdMailing ListVendor Advisory
www.openwall.com/lists/oss-security/2026/04/28/17nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000