FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2026-01-29 07:23:08 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
d822839e-ee4f-11f0-b53e-0897988a1c07	mail/mailpit -- Cross-Site WebSocket Hijacking Mailpit author reports: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. Discovery 2026-01-10 Entry 2026-01-10 mailpit < 1.28.2 CVE-2026-22689 https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm
01f34a27-f560-11f0-bbdc-10ffe07f9334	mail/mailpit -- multiple vulnerabilities Mailpit author reports: Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c) Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j) Discovery 2026-01-18 Entry 2026-01-19 mailpit < 1.28.3 CVE-2026-23829 https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c CVE-2026-23845 https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j

VuXML ID

Description

d822839e-ee4f-11f0-b53e-0897988a1c07

mail/mailpit -- Cross-Site WebSocket Hijacking

Mailpit author reports:

The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.

An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.

Discovery 2026-01-10
Entry 2026-01-10
mailpit

< 1.28.2

CVE-2026-22689
https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm

01f34a27-f560-11f0-bbdc-10ffe07f9334

mail/mailpit -- multiple vulnerabilities

Mailpit author reports:

Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)

Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Discovery 2026-01-18
Entry 2026-01-19
mailpit

< 1.28.3

CVE-2026-23829
https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c
CVE-2026-23845
https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j