Home > Vulnerability Database > CVE-2026-21859

Mend.io Vulnerability Database

CVE-2026-21859

Good to know:

Date: January 7, 2026

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.

Severity Score

5.8

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21859

Url: https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d

Url: https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr

Url: https://pkg.go.dev/vuln/GO-2026-4284

Url: https://github.com/axllent/mailpit

Url: https://www.mend.io/vulnerability-database/CVE-2026-21859

Severity Score

5.8

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version github.com/axllent/mailpit - v1.28.1;https://github.com/axllent/mailpit.git - v1.28.1

Learn More

CVSS v3.1

Base Score:	5.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21859

Good to know:

Date: January 7, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?