PT-2026-35747 · Pony Mail · Pony Mail
Li Jiantao
+1
·
Published
2026-04-28
·
Updated
2026-05-26
·
CVE-2026-41873
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Pony Mail (Lua implementation) (affected versions not specified)
Description
Inconsistent interpretation of HTTP requests, known as HTTP Request/Response Smuggling, allows for admin account takeover. This occurs when a front-end server and a back-end server disagree on the boundaries of an HTTP request, potentially allowing an attacker to "smuggle" a request to the back-end.
Recommendations
Restrict access to the instance to trusted users.
Find an alternative software solution.
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pony Mail