QwikSec

Security Database

CVE

CWE

Training

CVE-2026-23829

Published: Jan 18, 2026

Modified: Jan 20, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

Vendor	Product	Versions
axllent	mailpit	affected `< 1.28.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c

x_refsource_CONFIRM

https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534

x_refsource_MISC

https://github.com/axllent/mailpit/releases/tag/v1.28.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.