Nixpkgs security tracker

Untriaged

Permalink CVE-2026-23829

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

created 3 months ago

Mailpit has SMTP Header Injection via Regex Bypass

Mailpit is an email testing tool and API for developers. Prior to version 1.28. Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

References

https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c x_refsource_CONFIRM
https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534 x_refsource_MISC
https://github.com/axllent/mailpit/releases/tag/v1.28.3 x_refsource_MISC

Affected products

mailpit

==< 1.28.3

Matching in nixpkgs

pkgs.mailpit

Email and SMTP testing tool with API for developers

nixos-unstable 1.26.0
- nixpkgs-unstable 1.26.0
- nixos-unstable-small 1.26.0
nixos-25.11 1.27.11
- nixpkgs-25.11-darwin 1.27.11

Package maintainers

@stephank Stéphan Kochen <nix@stephank.nl>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.mailpit

Package maintainers