VuXML: mail/mailpit -- multiple vulnerabilities

Affected packages

mailpit

1.30.0

Details

VuXML ID	6e701ad2-4f61-11f1-af6d-10ffe07f9334
Discovery	2026-05-14
Entry	2026-05-14

VuXML ID

6e701ad2-4f61-11f1-af6d-10ffe07f9334

Discovery

2026-05-14

Entry

2026-05-14

Mailpit author reports:

Set a default 50MB per message limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw)

Include CGNAT (Carrier-Grade NAT) in internal IP checks (GHSA-j3fj-qppj-fmmc)

Block internal IP access by default in HTML check (GHSA-j3fj-qppj-fmmc)

Fix for path traversal & arbitrary file write in mailpit dump --http <instance> via attacker-controlled message IDs (GHSA-qx5x-85p8-vg4j)

Fix concurrent map read & write in proxy CSS rewriter (GHSA-w4vj-r5pg-3722)

[source]

CVE Name	CVE-2026-45709
CVE Name	CVE-2026-45711
CVE Name	CVE-2026-45712
CVE Name	CVE-2026-45713
URL	https://github.com/axllent/mailpit/security/advisories/GHSA-fpxj-m5q8-fphw
URL	https://github.com/axllent/mailpit/security/advisories/GHSA-j3fj-qppj-fmmc
URL	https://github.com/axllent/mailpit/security/advisories/GHSA-qx5x-85p8-vg4j
URL	https://github.com/axllent/mailpit/security/advisories/GHSA-w4vj-r5pg-3722

mail/mailpit -- multiple vulnerabilities

Details

References