CVE-2026-23829 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-23829 PUBLISHED CVSS 5.300000190734863 MEDIUM

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

EPSS 0.90% · 75.5th percentile

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score

0.90%

75.5th percentile

Affected Products

Vendor	Product	Versions
axllent	mailpit	< 1.28.3, 0, < 1.28.3
github.com	axllent/mailpit	0, 0

Timeline

Jan 18, 2026 CVE Published
Jan 19, 2026 EPSS Score
Jan 19, 2026 PoC Published
Jan 20, 2026 PoC Published
Jan 21, 2026 EPSS Score
Jan 23, 2026 EPSS Score
Jan 24, 2026 PoC Published
Jan 24, 2026 PoC Published
Jan 24, 2026 PoC Published
Jan 26, 2026 EPSS Score
Jan 28, 2026 EPSS Score
Jan 30, 2026 EPSS Score

References

Open in Interactive Console →