vulnerability
FreeBSD: VID-d822839e-ee4f-11f0-b53e-0897988a1c07 (CVE-2026-22689): mail/mailpit -- Cross-Site WebSocket Hijacking
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:C/I:N/A:N) | Jan 10, 2026 | Jan 27, 2026 | Jan 27, 2026 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:C/I:N/A:N)
Published
Jan 10, 2026
Added
Jan 27, 2026
Modified
Jan 27, 2026
Description
Mailpit author reports: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
Solution
freebsd-upgrade-package-mailpit
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.