Security

• Enhance CORS origin handling to respect host:port distinctions
• Limit proxy requests to 50MB to prevent OOM attacks
• Enhance HTML sanitization in message view
• Enhance HTML sanitization in screenshot generation
• Escape ContentID in HTML replacement to prevent regex injection

Chore

• Use last release + git hash in Docker edge versions
• Refactor code with go fix
• Switch to math/rand/v2
• Refactor API send authentication logic
• Refactor events websocket middleware
• Set timeout for HTTP client in webhook Send function
• Use local hostname for EHLO/HELO in SMTP communication
• Simplify HTML decoding function in screenshot generation using DOMParser
• Set margin & padding to HTML screenshot to prevent transparent top/left border
• Replace localStorage retrieval with a dedicated function for default release addresses
• Limit subject length to 100 characters in browser notifications
• Improve transaction handling in pruneMessages and fix loop continuation in InitDB
• Update Content-Disposition header to use inline display and escape filename
• Refactor timezone handling in searchQueryBuilder
• Update Go dependencies
• Update node dependencies

Fix

• Update SQL query to use tenant when using is:tagged filter

This release includes an important security fix, so upgrading is strongly recommended.

This security release fixes CVE-2026-27808: users could use the Link Check API to probe internal network IPs/hostnames. The exploit required user access to both the API and the SMTP server, so the risk is limited to users who have publicly-accessible Mailpit instances with no authentication on both the API and SMTP server.

Key change:

• New opt-in flag: --allow-internal-http-requests (env MP_ALLOW_INTERNAL_HTTP_REQUESTS=true). When enabled, the Link Check API and UI screenshot proxy may access internal-network IPs.

Action required:

• This is potentially breaking for test suites that depend on Link Check probing internal resources - review and update tests as needed.

A huge thanks to the security researcher (@rtvkiz) who reported this issue responsibly.

Changelog:

Security

• Prevent Server-Side Request Forgery (SSRF) via Link Check API (CVE-2026-27808)

Chore

• Upgrade eslint JavaScript linting
• Update Go dependencies
• Update node dependencies
• Update caniemail test database

Fix

• Update install instructions when setting INSTALL_PATH
• Include 8BITMIME in SMTPD EHLO response (#648)

This is a security release to resolve an upstream Go vulnerability (CVE-2025-68121).

Chore

• Add CORS error logging and update error messages for failed CORS requests
• Update Go dependencies
• Update node dependencies

Fix

• Enable "Mark all read" button (Inbox) when new message is received

Feature

• Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary
• Option to display/hide attachment information in message view in web UI including checksums, content type & disposition

Chore

• Add support for multi-origin CORS settings and apply to events websocket (#630)
• Add support for webhook delay (#627)
• Update Go dependencies
• Update node dependencies

Test

• Add CORS tests
• Add message summary attachment checksum tests

Chore

• Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#620)
• Update Go dependencies
• Update node dependencies

Fix

• Ensure SMTP HELO/EHLO command is issued before MAIL as per RFC 5321 (#621)
• Prevent nested MAIL command during an active SMTP transaction (#623)
• Avoid error on image type assertion in thumbnail generation

This release includes two important security fixes, so upgrading is recommended.

This is a security release which addresses two separate moderate security advisories (see below). A huge thanks to the security researchers (@omarkurt & @mdisec) who reported this issue responsibly.

The release also includes a few bug fixes, dependency updates, and test improvements.

Security

• Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
• Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Chore

• Fix formatting and update reporting instructions in SECURITY.md (#614)
• Allow @ character in message tags & set max length to 100 characters per tag
• Update Go dependencies
• Update node dependencies

Fix

• Correctly render default addresses in release modal after settings change (#594)
• Correctly detect macOS group in install.sh (#619)
• Auto-tagging using SMTP username using plain auth (#617)
• Validate maximum lengths of email addresses - RFC5321 (section 4.5.3.1)

Test

• Update tag tests with length limits and @ character
• Add SMTP tests for RFC 5322 address compliance and header injection
• Add maximum email length validation tests - RFC5321 (section 4.5.3.1)

This release includes an important security fix, so upgrading is strongly recommended.

This is a security release to address CVE-2026-22689 which allowed unauthenticated browser access to the websocket which provides the real-time web UI updates when new messages are received. A huge thanks to the security researcher (@omarkurt) who reported this issue responsibly.

Security

• Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data CVE-2026-22689

Feature

• Allow default relay addresses to be set when releasing message (#594)

Chore

• Remove webkit warnings about missing template / render functions
• Avoid empty URL query parameter when returning to inbox from message view

This release includes an important security fix, so upgrading is strongly recommended.

This is a security release to address CVE-2026-21859. Please note that although previous versions of Mailpit are vulnerable to SSRF attacks via the screenshot proxy, the proxy itself is limited to HTTP GET requests, and only relays some HTTP headers from the proxied server, reducing the attack surface. In addition to this, internet-exposed Mailpit instances should be protected using Basic Authentication, meaning the proxy itself should not be accessible to unauthenticated users.

This release limits all proxied screenshot requests to only those assets (images, fonts & CSS stylesheet links) that are actually referenced within the email message being viewed. All proxy requests to URLs not found within the message, proxied responses returning different content types (such as text/html), or proxied HTTP responses that do not return 2xx response codes will now return a generic HTTP error response. This makes it significantly more difficult to exploit the proxy for SSRF attacks, while still allowing legitimate assets to be loaded via the proxy for screenshot generation.

A huge thanks to the security researcher who reported this issue responsibly (@omarkurt).

Security

• Restrict screenshot proxy to only support asset links contained in messages CVE-2026-21859

Chore

• Bump actions/checkout from 5 to 6 (#610)
• Bump actions/cache from 4 to 5 (#607)
• Bump actions/stale from 10.0.0 to 10.1.1 (#604)
• Bump actions/setup-node from 5 to 6 (#598)
• Bump esbuild from 0.25.12 to 0.27.2 (#611)
• Update Go dependencies
• Update node dependencies

Test

• Add inline message tests
• Increase swagger test timeout

Feature

• Optionally propagate SMTP errors (#588)

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail test database

Chore

• Update Go dependencies
• Update node dependencies
• Add type assertion for value in imaging assignment