CVE-2026-22689 — Vulnetix

CVE-2026-22689 PUBLISHED CVSS 6.5 MEDIUM

Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

EPSS 0.01% · 1.9th percentile

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Score

0.01%

1.9th percentile

Affected Products

Vendor	Product	Versions
github.com	axllent/mailpit	1.2.6, 0
axllent	mailpit	< 1.28.2, 0

Timeline

Jan 8, 2026 CVE ID Reserved
Jan 10, 2026 EPSS Score
Jan 10, 2026 CVE Published
Jan 12, 2026 CVE Updated
Jan 13, 2026 EPSS Score
Jan 16, 2026 EPSS Score
Jan 19, 2026 EPSS Score
Jan 22, 2026 EPSS Score
Jan 24, 2026 PoC Published
Jan 24, 2026 PoC Published
Jan 25, 2026 EPSS Score
Jan 28, 2026 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›