PT-2026-22057 · Mailpit · Mailpit

Rtvkiz

Published

2026-02-25

Updated

2026-03-25

CVE-2026-27808

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.29.2

Description Mailpit is an email testing tool and API for developers. A Server-Side Request Forgery (SSRF) issue exists in the Link Check API. This allows unauthenticated remote attackers to map internal networks and enumerate cloud resources. The vulnerable API endpoint is /api/v1/message/{ID}/link-check. The vulnerability allows attackers to perform internal port scanning.

Recommendations Update Mailpit to version 1.29.2 or later.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-27808

GHSA-MPF7-P9X7-96R3

GO-2026-4558

SUSE-SU-2026:1042-1

Affected Products

Mailpit

PT-2026-22057 · Mailpit · Mailpit

CVE-2026-27808

Weakness Enumeration

Related Identifiers

Affected Products

References · 138