The Mailpit WebSocket server is configured to accept
connections from any origin. This lack of Origin header
validation introduces a Cross-Site WebSocket Hijacking
(CSWSH) vulnerability.
An attacker can host a malicious website that, when
visited by a developer running Mailpit locally, establishes
a WebSocket connection to the victim's Mailpit instance
(default ws://localhost:8025). This allows the attacker
to intercept sensitive data such as email contents,
headers, and server statistics in real-time.