FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mail/mailpit -- Server-Side Request Forgery

Affected packages
mailpit < 1.28.1

Details

VuXML ID df33c83b-eb4f-11f0-a46f-0897988a1c07
Discovery 2026-01-06
Entry 2026-01-06

Mailpit author reports:

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.

The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.

[source]

References

CVE Name CVE-2026-21859
URL https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.