CVE-2026-45709

high

Description

Mailpit author reports: Set a default 50MB per message limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw) Include CGNAT (Carrier-Grade NAT) in internal IP checks (GHSA-j3fj-qppj-fmmc) Block internal IP access by default in HTML check (GHSA-j3fj-qppj-fmmc) Fix for path traversal & arbitrary file write in mailpit dump --http <instance> via attacker-controlled message IDs (GHSA-qx5x-85p8-vg4j) Fix concurrent map read & write in proxy CSS rewriter (GHSA-w4vj-r5pg-3722)

Details

Source: Mitre, NVD

Published: 2026-05-14

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3