CVE-2026-23829

MEDIUM NUCLEI

Mailpit <1.28.3 - Header Injection

Title source: llm

Description

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

Exploits (3)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-23829

View Code ZIP pw:eip

nomisec WORKING POC

by SimoesCTT · poc

https://github.com/SimoesCTT/-CVE-2026-23829-CTT-Mailpit-phase-reconstruction-

View Code ZIP pw:eip

nomisec WORKING POC

by SimoesCTT · poc

https://github.com/SimoesCTT/CTT-Mailpit-RCE-v1.0---Temporal-Resonance-Mail-Server-Takeover

View Code ZIP pw:eip

Nuclei Templates (1)

Mailpit < 1.28.2 - SMTP CRLF Injection

MEDIUMVERIFIEDby omarkurt

Shodan: title:"Mailpit"

FOFA: title="Mailpit"

References (3)

[Patch] https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534

[Vendor Advisory] https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c

[Release Notes] https://github.com/axllent/mailpit/releases/tag/v1.28.3

Scores

CVSS v3 5.3

EPSS 0.0094

EPSS Percentile 76.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-150 CWE-93

Status published

Products (2)

axllent/mailpit < 1.28.3

axllent/mailpit 0 - 1.28.3Go

Published Jan 19, 2026

Tracked Since Feb 18, 2026