Mailpit, an email testing tool and API for developers, contains a server‑side request forgery flaw in versions older than 1.28.3. The vulnerability resides in the HTML Check feature, which automatically fetches CSS files linked within an email in order to inline them for compatibility testing. An attacker can supply a crafted <link> tag that points to any internal or external resource, causing the Mailpit server to retrieve it. This allows the attacker to access internal network services, exfiltrate data, or perform further malicious activity. The weakness is classified as CWE‑918.

axllent Mailpit versions prior to 1.28.3 are impacted. The affected releases are those below the 1.28.3 tag released in August 2026. All deployments using these older binaries are vulnerable regardless of service configuration.

The CVSS score for this flaw is 5.8, indicating a moderate severity. The EPSS score is below 1 %, suggesting the likelihood of exploitation in the near future is low. The flaw is not listed in the CISA KEV catalog. Because the API endpoint can be triggered via normal HTTP requests, the attack vector depends on whether the endpoint is exposed to the public internet or limited to trusted users. If the endpoint is publicly accessible, an unauthenticated or authenticated attacker could abuse SSRF to reach arbitrary internal hosts. If access is restricted, the risk is mitigated by limiting the reach of the request.