VDB

CVE-2026-27808

CVE-2026-27808 PUBLISHED CVSS 5.800000190734863 MEDIUM

Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.

EPSS 0.05% · 15.2th percentile

Risk Scores

CVSS 3.1
5.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS Score
0.05%
15.2th percentile

Affected Products

VendorProductVersions
github.comaxllent/mailpit0, 0, 0
axllentmailpit0, < 1.29.2, 0

Timeline

  • Feb 24, 2026 CVE ID Reserved
  • Feb 25, 2026 CVE Published
  • Feb 26, 2026 EPSS Score
  • Feb 26, 2026 CVE Updated
  • Feb 26, 2026 PoC Published
  • Feb 27, 2026 EPSS Score
  • Mar 1, 2026 EPSS Score
  • Mar 2, 2026 EPSS Score
  • Mar 4, 2026 EPSS Score
  • Mar 5, 2026 EPSS Score
  • Mar 7, 2026 EPSS Score
  • Mar 8, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›