VYPR

Go modules package

github.com/axllent/mailpit

pkg:golang/github.com/axllent/mailpit

Vulnerabilities (5)

  • CVE-2026-27808Feb 25, 2026
    affected < 1.29.2fixed 1.29.2

    Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating tar

  • CVE-2026-23845Jan 19, 2026
    affected < 1.28.3fixed 1.28.3

    Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. Dur

  • CVE-2026-23829Jan 18, 2026
    affected < 1.28.3fixed 1.28.3

    Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers

  • CVE-2026-22689Jan 10, 2026
    affected >= 1.2.6, < 1.28.2fixed 1.28.2

    Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker

  • CVE-2026-21859Jan 7, 2026
    affected < 1.28.1fixed 1.28.1

    Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https://