CVE-2026-23829

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28

Description Mailpit, an email testing tool and API for developers, has a header injection issue in its SMTP server. This is due to a flawed regular expression used to validate RCPT TO and MAIL FROM addresses, failing to exclude carriage return characters (r) and newline characters ( ) within a character class. An attacker can inject arbitrary SMTP headers or corrupt existing ones by including these characters in the email address. The insufficient filtering of control characters allows for the manipulation of SMTP headers.

Recommendations Update to version 1.28 or later.