CVE-2026-23845

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28.3

Description Mailpit, an email testing tool and API for developers, contains a Server-Side Request Forgery (SSRF) issue. This flaw is related to the HTML Check CSS Download functionality, specifically within the HTML Check feature accessible via the /api/v1/message/{ID}/html-check API endpoint. The inlineRemoteCSS() function automatically downloads CSS files from external sources specified in <link rel="stylesheet" href="..."> tags during HTML analysis. This process can be exploited to trigger requests to unintended locations.

Recommendations Update to Mailpit version 1.28.3 or later.