FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mail/mailpit -- Server-Side Request Forgery (SSRF) via Link Check API

Affected packages
mailpit < 1.29.2

Details

VuXML ID fe6209a3-126c-11f1-8a62-0897988a1c07
Discovery 2026-02-25
Entry 2026-02-25

Mailpit author reports:

The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.

References

CVE Name CVE-2026-27808
URL https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3