216.73.216.15

CVE-2026-41873

· Published 28/04/2026 16:16 · Modified 29/04/2026 13:16

Labels: CVE-2026-41873 2026-04-28CVE-2026-41873CWE-444[email protected]

Essential information

Published
28/04/2026 16:16
Modified
29/04/2026 13:16
Author
Creator
CVSS
9.8 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

NVD status

Status
Modified — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
apache / pony mail cpe:2.3:a:apache:pony_mail:*:*:*:*:*:*:*:*

References