NIXPKGS-2026-0049

GitHub issue published on 20 Jan 2026

Permalink CVE-2026-23845

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API

Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.

Affected products

mailpit

==< 1.28.3

Matching in nixpkgs

pkgs.mailpit

Email and SMTP testing tool with API for developers

nixos-unstable 1.27.11
- nixpkgs-unstable 1.27.11
- nixos-unstable-small 1.27.11

Package maintainers

@stephank Stéphan Kochen <nix@stephank.nl>

Upstream advisory: https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j
Upstream patch: https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0049

Affected products

Matching in nixpkgs

pkgs.mailpit

Package maintainers