FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms

Affected packages
mailpit < 1.30.2

Details

VuXML ID 44afeb08-6a18-11f1-9647-10ffe07f9334
Discovery 2026-06-17
Entry 2026-06-17

Mailpit authorreports:

The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers (IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast) plus an inline CGNAT range, but those helpers do not match two classes of IPv6 address that should be blocked for SSRF purposes

[source]

References

CVE Name CVE-2026-55187
URL https://github.com/axllent/mailpit/security/advisories/GHSA-w4mc-hhc6-xp28

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.