Security: axllent/mailpit
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Incomplete SSRF protection in Link Check API via uncovered IPv6 forms (follow-up to GHSA-mpf7-p9x7-96r3 / CVE-2026-27808)GHSA-w4mc-hhc6-xp28 published
Jun 17, 2026 by axllentModerate -
Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)GHSA-28pq-6qxg-wg5r published
May 28, 2026 by axllentModerate -
Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizesGHSA-fpxj-m5q8-fphw published
May 14, 2026 by axllentHigh -
Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)GHSA-w4vj-r5pg-3722 published
May 14, 2026 by axllentModerate -
Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDsGHSA-qx5x-85p8-vg4j published
May 14, 2026 by axllentModerate -
Incomplete fix for GHSA-6jxm-fv7w-rw5j: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialerGHSA-j3fj-qppj-fmmc published
May 14, 2026 by axllentModerate -
Server-Side Request Forgery (SSRF) via Link Check APIGHSA-mpf7-p9x7-96r3 published
Feb 24, 2026 by axllentModerate -
SMTP Header Injection via Regex BypassGHSA-54wq-72mp-cq7c published
Jan 17, 2026 by axllentModerate -
Server-Side Request Forgery (SSRF) via HTML Check APIGHSA-6jxm-fv7w-rw5j published
Jan 18, 2026 by axllentModerate -
Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message dataGHSA-524m-q5m7-79mm published
Jan 9, 2026 by axllentModerate