SecuriTricks - CVE-2026-23829

Description

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

Product(s) Impacted

Vendor	Product	Versions
Mailpit	Mailpit	<1.28, 1.28.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	mailpit	mailpit	<1.28	/	/	/	/	/	/	/
a	mailpit	mailpit	1.28.3	/	/	/	/	/	/	/

References

https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534

https://github.com/axllent/mailpit/releases/tag/v1.28.3

https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

View Vector String

Timeline

Published: Jan. 19, 2026, 12:15 a.m.
Last Modified: Jan. 19, 2026, 7:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-23829