Home > Vulnerability Database > CVE-2026-22689

Mend.io Vulnerability Database

CVE-2026-22689

Good to know:

Date: January 10, 2026

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22689

Url: https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm

Url: https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f

Url: https://github.com/axllent/mailpit

Url: https://www.mend.io/vulnerability-database/CVE-2026-22689

Severity Score

6.5

Weakness Type (CWE)

Missing Origin Validation in WebSockets

CWE-1385

Top Fix

Upgrade Version

Upgrade to version github.com/axllent/mailpit - v1.28.2;github.com/axllent/mailpit - v1.28.2;https://github.com/axllent/mailpit.git - v1.28.2

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22689

Good to know:

Date: January 10, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?