CVE-2022-50908

HIGH

Mailhog 1.0.1 - Stored Cross-Site Scripting via Email Attachment

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50908. PoCs published by Vulnz.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Mailhog 1.0.1, allowing malicious API requests to be executed when a victim opens an email with a crafted attachment. The PoC uses JavaScript to send a DELETE request to the Mailhog API, potentially leading to unauthorized actions.

Description

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation.

Exploits (1)

exploitdb WORKING POC
by Vulnz · textwebappsmultiple
https://www.exploit-db.com/exploits/50971

This exploit demonstrates a stored XSS vulnerability in Mailhog 1.0.1, allowing malicious API requests to be executed when a victim opens an email with a crafted attachment. The PoC uses JavaScript to send a DELETE request to the Mailhog API, potentially leading to unauthorized actions.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Mailhog 1.0.1
No auth needed
Prerequisites: Victim must open a malicious email attachment · Mailhog instance must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/50971

Scores

CVSS v3 7.2
EPSS 0.0025
EPSS Percentile 15.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Mailhog/Mailhog 1.0.1
Published Jan 13, 2026
Tracked Since Feb 18, 2026