CVE-2026-27808

{"id": "CVE-2026-27808", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2026-02-26T00:16:26.013", "references": [{"url": "https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/axllent/mailpit/releases/tag/v1.29.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability."}, {"lang": "es", "value": "Mailpit es una herramienta de prueba de correo electr\u00f3nico y API para desarrolladores. Antes de la versi\u00f3n 1.29.2, la API de verificaci\u00f3n de enlaces (Link Check API) (/api/v1/message/{ID}/link-check) es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF). El servidor realiza peticiones HTTP HEAD a cada URL encontrada en un correo electr\u00f3nico sin validar los hosts de destino ni filtrar las direcciones IP privadas/internas. La respuesta devuelve c\u00f3digos de estado y texto de estado por enlace, lo que la convierte en una SSRF no ciega. En la configuraci\u00f3n predeterminada (sin autenticaci\u00f3n en SMTP o API), esto es totalmente explotable de forma remota con cero interacci\u00f3n del usuario. Esta es la misma clase de vulnerabilidad que se corrigi\u00f3 en la API de verificaci\u00f3n de HTML (HTML Check API) (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) y el proxy de captura de pantalla (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), pero la ruta de c\u00f3digo de verificaci\u00f3n de enlaces (Link Check) no se incluy\u00f3 en ninguna de las correcciones. La versi\u00f3n 1.29.2 corrige esta vulnerabilidad."}], "lastModified": "2026-02-28T01:00:17.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24EB3804-DA8E-43E1-82F0-0E365C797AAD", "versionEndExcluding": "1.29.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}