CVE-2026-21859
Last modified
CVE-2026-21859 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. EPSS estimates a 0.76% chance of exploitation in the next 30 days.
Description
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Axllent | Mailpit | < 1.28.1 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-21859?
How severe is CVE-2026-21859?
How do I fix CVE-2026-21859?
Are you affected by CVE-2026-21859?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST