VDB

CVE-2026-23829

CVE-2026-23829 PUBLISHED CVSS 5.300000190734863 MEDIUM

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

EPSS 1.59% · 82.0th percentile

Risk Scores

CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
1.59%
82.0th percentile

Affected Products

VendorProductVersions
axllentmailpit< 1.28.3, 0, < 1.28.3
github.comaxllent/mailpit0, 0

Timeline

  • Jan 18, 2026 CVE Published
  • Jan 19, 2026 EPSS Score
  • Jan 19, 2026 PoC Published
  • Jan 20, 2026 CVE Updated
  • Jan 20, 2026 PoC Published
  • Jan 22, 2026 EPSS Score
  • Jan 24, 2026 PoC Published
  • Jan 24, 2026 PoC Published
  • Jan 24, 2026 PoC Published
  • Jan 25, 2026 EPSS Score
  • Jan 27, 2026 EPSS Score
  • Jan 30, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›