CVE-2026-22689

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28.2

Description Mailpit, an email testing tool and API for developers, contains a Cross-Site WebSocket Hijacking (CSWSH) issue in its WebSocket server. The server, in versions prior to 1.28.2, does not validate the Origin header, allowing an attacker to establish a WebSocket connection to a developer’s Mailpit instance. This connection, established through a malicious website visited by a developer running Mailpit locally, enables the attacker to intercept sensitive data in real-time, including email contents, headers, and server statistics. The default WebSocket endpoint is ws://localhost:8025.

Recommendations Update Mailpit to version 1.28.2 or later.