216.73.217.86

CVE-2026-23845

· Published 19/01/2026 19:16 · Modified 19/01/2026 19:16

Labels: CVE-2026-23845 2026-01-19CVE-2026-23845CWE-918[email protected]

Essential information

Published
19/01/2026 19:16
Modified
19/01/2026 19:16
Author
Creator
CVSS
5.8 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS metrics

Description

Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
mailpit / mailpit cpe:2.3:a:mailpit:mailpit:<1.28.3:*:*:*:*:*:*:*

References