{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23845", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.842Z", "datePublished": "2026-01-19T19:01:38.163Z", "dateUpdated": "2026-01-20T20:05:35.862Z"}, "containers": {"cna": {"title": "Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j"}, {"name": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe", "tags": ["x_refsource_MISC"], "url": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe"}, {"name": "https://github.com/axllent/mailpit/releases/tag/v1.28.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"}], "affected": [{"vendor": "axllent", "product": "mailpit", "versions": [{"version": "< 1.28.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T19:01:38.163Z"}, "descriptions": [{"lang": "en", "value": "Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel=\"stylesheet\" href=\"...\">` tags to inline them for testing. Version 1.28.3 fixes the issue."}], "source": {"advisory": "GHSA-6jxm-fv7w-rw5j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T20:04:04.082622Z", "id": "CVE-2026-23845", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:05:35.862Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23845", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T20:04:04.082622Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:04:05.285Z"}}], "cna": {"title": "Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API", "source": {"advisory": "GHSA-6jxm-fv7w-rw5j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "axllent", "product": "mailpit", "versions": [{"status": "affected", "version": "< 1.28.3"}]}], "references": [{"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j", "name": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe", "name": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3", "name": "https://github.com/axllent/mailpit/releases/tag/v1.28.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel=\"stylesheet\" href=\"...\">` tags to inline them for testing. Version 1.28.3 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T19:01:38.163Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23845", "state": "PUBLISHED", "dateUpdated": "2026-01-20T20:05:35.862Z", "dateReserved": "2026-01-16T15:46:40.842Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T19:01:38.163Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*", "matchCriteriaId": "D00C1680-049F-472C-A900-66D6B2A11A04", "versionEndExcluding": "1.28.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel=\"stylesheet\" href=\"...\">` tags to inline them for testing. Version 1.28.3 fixes the issue."}], "id": "CVE-2026-23845", "lastModified": "2026-02-05T18:35:31.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-19T19:16:04.820", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:02:54.588348+00:00", "value": {"mitigation_remediation": ["Upgrade axllent Mailpit to version 1.28.3 or newer.", "If upgrading cannot be performed immediately, restrict network access to the /api/v1/message/{ID}/html-check endpoint so that only trusted networks or users can reach it.", "Consider disabling the inlineRemoteCSS feature or validating CSS URLs to ensure they point only to trusted domains."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery (SSRF)"}, "threat_synthesis": {"affected_systems": "axllent Mailpit versions prior to 1.28.3 are impacted. The affected releases are those below the 1.28.3 tag released in August\u202f2026. All deployments using these older binaries are vulnerable regardless of service configuration.", "description_and_impact": "Mailpit, an email testing tool and API for developers, contains a server\u2011side request forgery flaw in versions older than 1.28.3. The vulnerability resides in the HTML Check feature, which automatically fetches CSS files linked within an email in order to inline them for compatibility testing. An attacker can supply a crafted <link> tag that points to any internal or external resource, causing the Mailpit server to retrieve it. This allows the attacker to access internal network services, exfiltrate data, or perform further malicious activity. The weakness is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score for this flaw is 5.8, indicating a moderate severity. The EPSS score is below\u202f1\u202f%, suggesting the likelihood of exploitation in the near future is low. The flaw is not listed in the CISA KEV catalog. Because the API endpoint can be triggered via normal HTTP requests, the attack vector depends on whether the endpoint is exposed to the public internet or limited to trusted users. If the endpoint is publicly accessible, an unauthenticated or authenticated attacker could abuse SSRF to reach arbitrary internal hosts. If access is restricted, the risk is mitigated by limiting the reach of the request."}}}}, "created": "2026-01-20T08:40:27.138969+00:00", "updated": "2026-04-18T05:15:15.971418+00:00", "vendors": ["axllent", "axllent$PRODUCT$mailpit"]}