CVE-2026-23845
HIGH WAF: Medium
CVSS 7.5
Published: 2026-01-19
CWE-918
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `` tags to inline them for testing. Version 1.28.3 fixes the issue.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| axllent | mailpit | up to 1.28.3 |
References
- github.com (Patch)
- github.com (Product, Release Notes)
- github.com (Exploit, Vendor Advisory)