Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NAxllent Mailpit
APPAxllent< 1.28.3
Related vulnerabilities
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/...
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vul...
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server...
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request ...