CVE-2026-23845 is a Server-Side Request Forgery (SSRF) vulnerability identified in axllent's Mailpit, an email testing tool widely used by developers to analyze email content and compatibility. The vulnerability resides in the HTML Check feature, specifically the `inlineRemoteCSS()` function, which processes HTML emails by automatically downloading external CSS files linked via `<link rel="stylesheet" href="...">` tags. In versions prior to 1.28.3, this function does not properly validate or restrict the URLs it fetches, allowing an attacker to craft malicious emails containing links to arbitrary URLs. When the server processes such an email, it performs HTTP requests to these attacker-controlled or internal network resources. This can lead to unauthorized internal network scanning, exposure of sensitive internal services, or leaking of confidential information accessible via the server's network context. The vulnerability does not require authentication or user interaction, increasing its exploitation potential. The CVSS v3.1 base score is 5.8, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), scope changed (S:C), confidentiality impact low (C:L), and no impact on integrity or availability (I:N/A:N). No known exploits are reported in the wild as of the publication date. The issue was addressed in Mailpit version 1.28.3 by presumably adding validation or restricting the URLs that can be fetched during CSS inlining. Organizations using vulnerable versions should upgrade promptly to mitigate risk.

For European organizations, the SSRF vulnerability in Mailpit poses a risk of unauthorized internal network reconnaissance and potential data leakage. Since Mailpit is used primarily by developers and QA teams for email testing, exploitation could allow attackers to pivot from the email testing environment to internal services that are otherwise inaccessible externally. This could expose sensitive internal APIs, databases, or configuration endpoints, leading to confidentiality breaches. Although the vulnerability does not directly impact system integrity or availability, the information gained could facilitate further attacks. The lack of authentication and user interaction requirements increases the risk of automated exploitation, especially in environments where Mailpit is exposed to untrusted email inputs or external networks. Organizations handling sensitive or regulated data (e.g., financial, healthcare, or government sectors) are particularly at risk of compliance violations if internal data is exposed. The medium severity score indicates a moderate but non-negligible threat that should be addressed promptly to prevent escalation.

1. Upgrade Mailpit to version 1.28.3 or later immediately to apply the official fix. 2. Restrict outbound HTTP/HTTPS requests from the Mailpit server to only trusted destinations using network-level controls such as firewall rules or proxy whitelisting. 3. Implement input validation or sanitization on email content before processing to detect and block suspicious external CSS links. 4. Isolate the Mailpit environment in a segmented network zone with limited access to sensitive internal resources to minimize impact if exploited. 5. Monitor Mailpit server logs for unusual outbound requests or access patterns indicative of SSRF exploitation attempts. 6. Educate development and QA teams about the risks of processing untrusted email content and enforce secure handling practices. 7. Regularly review and update security policies related to developer tools and testing environments to include SSRF threat awareness.