CVE-2026-21859

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-21859

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21859.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-21859

Aliases

Related

GHSA-8v65-47jx-7mfr

Published

2026-01-08T00:16:00.150Z

Modified

2026-01-12T18:11:14.677130Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.

References

Affected packages

Git / github.com/axllent/mailpit

Affected ranges

Type: GIT
Repo: https://github.com/axllent/mailpit
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3b9b470c093b3d20b7d751722c1c24f3eed2e19d

Affected versions

0.*

0.0.1-beta

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

1.*

1.0.0

1.0.0-beta1

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.7

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

v1.*

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.11.0

v1.11.1

v1.12.0

v1.12.1

v1.13.0

v1.13.1

v1.13.2

v1.13.3

v1.14.0

v1.14.1

v1.14.2

v1.14.3

v1.14.4

v1.15.0

v1.15.1

v1.16.0

v1.17.0

v1.17.1

v1.18.0

v1.18.1

v1.18.2

v1.18.3

v1.18.4

v1.18.5

v1.18.6

v1.18.7

v1.19.0

v1.19.1

v1.19.2

v1.19.3

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.20.0

v1.20.1

v1.20.2

v1.20.3

v1.20.4

v1.20.5

v1.20.6

v1.20.7

v1.21.0

v1.21.1

v1.21.2

v1.21.3

v1.21.4

v1.21.5

v1.21.6

v1.21.7

v1.21.8

v1.22.0

v1.22.1

v1.22.2

v1.22.3

v1.23.0

v1.23.1

v1.23.2

v1.24.0

v1.24.1

v1.24.2

v1.25.0

v1.25.1

v1.26.0

v1.26.1

v1.26.2

v1.27.0

v1.27.1

v1.27.10

v1.27.11

v1.27.2

v1.27.3

v1.27.4

v1.27.5

v1.27.6

v1.27.7

v1.27.8

v1.27.9

v1.28.0

v1.3.0

v1.3.1

v1.3.10

v1.3.11

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.14

v1.6.15

v1.6.16

v1.6.17

v1.6.18

v1.6.19

v1.6.2

v1.6.20

v1.6.21

v1.6.22

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.9.0

v1.9.1

v1.9.10

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v1.9.8

v1.9.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21859.json"