CVE-2026-41873— Pony Mail: Admin account takeover via request smuggling
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41873
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pony Mail: Admin account takeover via request smuggling
Source: NVD (National Vulnerability Database)
Vulnerability Description
** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Pony Mail 环境问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Pony Mail是美国阿帕奇(Apache)基金会的一款具有邮件归档、查看和交互功能的插件。 Apache Pony Mail存在环境问题漏洞,该漏洞源于HTTP请求解释不一致,可能导致管理员账户接管。以下版本受到影响:所有Lua实现版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Pony Mail | 0 ~ * | - |
II. Public POCs for CVE-2026-41873
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41873
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2026-04-28 · 9 CVEs total
| CVE-2025-48431 | Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid point | |
| CVE-2026-41602 | Apache Thrift: Go TFramedTransport uint32 overflow | |
| CVE-2026-41603 | Apache Thrift: Java TSSLTransportFactory hostname verification | |
| CVE-2026-41604 | Apache Thrift: Swift Range crash in skip() | |
| CVE-2026-41605 | Apache Thrift: Swift Compact Protocol integer overflow | |
| CVE-2026-41606 | Apache Thrift: c_glib dispatch stack overflow | |
| CVE-2026-41607 | Apache Thrift: C++ JSON OOB read | |
| CVE-2026-41636 | Apache Thrift: Node.js skip() recursion |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-35194
Apache Flink: Remote code execution via SQL injection in cod - CVE-2026-45205
Apache Commons Configuration: StackOverflowError for YAML in - CVE-2026-43515
Apache Tomcat: Security constraints not correctly applied - CVE-2026-43514
Apache Tomcat: AJP secret compared in non-constant time - CVE-2026-43513
Apache Tomcat: LockOutRealm treats user names as case-sensit
Same weakness: CWE-444
- CVE-2026-42585
Netty: HTTP Request Smuggling due to malformed Transfer-Enco - CVE-2026-42584
Netty: HttpClientCodec response desynchronization - CVE-2026-42580
Netty: HTTP Request Smuggling due to incorrect chunk size pa - CVE-2026-42581
Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitiz - CVE-2026-40562
Gazelle versions through 0.49 for Perl allows HTTP Request S
V. Comments for CVE-2026-41873
No comments yet