FKIE_CVE-2026-23829

Vulnerability from fkie_nvd - Published: 2026-01-19 00:15 - Updated: 2026-02-23 17:29
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
References
security-advisories@github.comhttps://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534Patch
security-advisories@github.comhttps://github.com/axllent/mailpit/releases/tag/v1.28.3Product, Release Notes
security-advisories@github.comhttps://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7cExploit, Third Party Advisory, Mitigation
Impacted products
Vendor Product Version
axllent mailpit *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D00C1680-049F-472C-A900-66D6B2A11A04",
              "versionEndExcluding": "1.28.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit\u0027s SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\\r` and `\\n` when used inside a character class. Version 1.28.3 fixes this issue."
    },
    {
      "lang": "es",
      "value": "Mailpit es una herramienta de pruebas de correo electr\u00f3nico y una API para desarrolladores. Antes de la versi\u00f3n 1.28.3, el servidor SMTP de Mailpit era vulnerable a la inyecci\u00f3n de encabezados debido a una expresi\u00f3n regular insuficiente utilizada para validar las direcciones `RCPT TO` y `MAIL FROM`. Un atacante puede inyectar encabezados SMTP arbitrarios (o corromper los existentes) incluyendo caracteres de retorno de carro (\"\\r\") en la direcci\u00f3n de correo electr\u00f3nico. Esta inyecci\u00f3n de encabezados se produce porque la expresi\u00f3n regular destinada a filtrar los caracteres de control no excluye \"\\r\" y \"\\n\" cuando se utiliza dentro de una clase de caracteres. La versi\u00f3n 1.28.3 corrige este problema."
    }
  ],
  "id": "CVE-2026-23829",
  "lastModified": "2026-02-23T17:29:31.440",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-19T00:15:48.707",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-93"
        },
        {
          "lang": "en",
          "value": "CWE-150"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.