Security

Report a vulnerability

.github/SECURITY.md

Reporting security vulnerabilities

Your efforts to responsibly disclose your findings are appreciated.

Please do not report security vulnerabilities through public GitHub issues.

If you believe you have found a security vulnerability, you can report it using one of the following methods:

GitHub Security Advisory (Recommended): Use the "Report a vulnerability" button in the Security tab of this repository.
Email: Send your findings to security@axllent.org

Your report should include:

Mailpit version
A vulnerability description
Reproduction steps (if applicable)
Any other details you think are likely to be important

You should receive an initial acknowledgement within 24 hours in most cases, and will be kept updated throughout the process.

With your consent, your contributions will be publicly acknowledged.

Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data
GHSA-524m-q5m7-79mm published Jan 9, 2026 by axllent

Moderate
Server-Side Request Forgery (SSRF) in Mailpit Proxy Endpoint
GHSA-8v65-47jx-7mfr published Jan 6, 2026 by axllent

Moderate

Learn more about advisories related to axllent/mailpit in the GitHub Advisory Database