CVE-2026-41319 — Vulnetix

CVE-2026-41319 PUBLISHED CVSS 6.5 MEDIUM

MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue.

EPSS 0.04% · 13.6th percentile

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS Score

0.04%

13.6th percentile

Affected Products

Vendor	Product	Versions
jstedfast	MailKit	< 4.16.0

Exploit Intelligence

https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr (circl)

Timeline

Apr 18, 2026 CVE Published
Apr 24, 2026 Security Advisory
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 21, 2026 CVE Updated
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score
May 26, 2026 EPSS Score

References

https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr url

Open in Interactive Console →