Mailpit CVE-2026-23845 SSRF in HTML Check API via CSS Handler

Vulnerability Summary Vulnerability Type: Server-Side Request Forgery (SSRF) via HTML Check API Severity: Moderate (5.8/10) CVE ID: CVE-2026-23845 Affected Versions: <= v1.28.2, < v0.0.0-20260117230009 Fixed Versions: v1.28.3, v0.0.0-20260117230009 Affected Components Primary File: API Endpoint: Handler: Vulnerable Functions: - - line 132 - - line 193 - - line 221 Technical Details 1. Insufficient URL Validation ( function): Only checks if the URL protocol is or , without validating Host or IP. 2. Unrestricted Download ( function): No IP validation during download process. 3. Automatic CSS Processing ( function): Inadequate validation when processing attribute of tags. Attack Vector Cloud Metadata Credential Theft: - Attacker sends HTML email containing malicious CSS link. - Mailpit service makes GET request to AWS metadata endpoint and downloads IAM credentials. - Credentials may be leaked via logs or error messages. Proof of Concept Provides Python script as a complete working exploit example. Run command: PoC Workflow: 1. Start SSRF listener. 2. Send HTML email with malicious CSS link. 3. Trigger HTML check. 4. Monitor and analyze callback response. 5. Demonstrate exploitation against local listener, cloud metadata endpoints, internal services, and private network ranges. Manual Testing Send malicious HTML email via . Retrieve email ID and trigger SSRF attack. These details illustrate the vulnerability’s mechanism, triggering conditions, and verification methods, providing valuable insights for security researchers and developers in remediation and defense testing.

Goal Reached Thanks to every supporter — we hit 100%!

Mailpit CVE-2026-23845 SSRF in HTML Check API via CSS Handler

More from this source