VDB
CVE-2026-23829
CVE-2026-23829
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
EPSS 1.59% · 82.0th percentile
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
1.59%
82.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| axllent | mailpit | < 1.28.3, 0, < 1.28.3 |
| github.com | axllent/mailpit | 0, 0 |
Timeline
- Jan 18, 2026 CVE Published
- Jan 19, 2026 EPSS Score
- Jan 19, 2026 PoC Published
- Jan 20, 2026 CVE Updated
- Jan 20, 2026 PoC Published
- Jan 22, 2026 EPSS Score
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 25, 2026 EPSS Score
- Jan 27, 2026 EPSS Score
- Jan 30, 2026 EPSS Score
References
- https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c url
- https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534 url
- https://github.com/axllent/mailpit/releases/tag/v1.28.3 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23829 advisory
- https://github.com/axllent/mailpit package