CVE-2026-21859

MEDIUM EXPLOITED NUCLEI

Mailpit < 1.28.1 - Server-Side Request Forgery via Proxy Endpoint

Title source: llm

Exploitation Summary

CVE-2026-21859 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.

Nuclei Templates (1)

Mailpit < 1.28.3 - Server-Side Request Forgery

HIGHVERIFIEDby omarkurt

Shodan: title:"Mailpit"

FOFA: title="Mailpit"

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr

Patch x_refsource_misc

https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d

View Patch ZIP pw:eip

Scores

CVSS v3 5.8

EPSS 0.0049

EPSS Percentile 65.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2026-02-11

CWE

CWE-918

Status published

Products (2)

axllent/mailpit < 1.28.1

axllent/mailpit 0 - 1.28.1Go

Published Jan 08, 2026

Tracked Since Feb 18, 2026