Date: Sat, 10 Jan 2026 18:18:33 +0000 From: Guido Falsi <madpilot@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 6bd3dbdc0101 - main - security/vuxml: security/vuxml: Document mail/mailpit vulnerability (CVE-2026-22689) Message-ID: <696297f9.39d0c.11f1a798@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by madpilot: URL: https://cgit.FreeBSD.org/ports/commit/?id=6bd3dbdc010183ef8168fa17454a52626cc62a3e commit 6bd3dbdc010183ef8168fa17454a52626cc62a3e Author: Guido Falsi <madpilot@FreeBSD.org> AuthorDate: 2026-01-10 18:18:01 +0000 Commit: Guido Falsi <madpilot@FreeBSD.org> CommitDate: 2026-01-10 18:18:01 +0000 security/vuxml: security/vuxml: Document mail/mailpit vulnerability (CVE-2026-22689) --- security/vuxml/vuln/2026.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 2ed681d7420c..ec7edeeb1c78 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,39 @@ + <vuln vid="d822839e-ee4f-11f0-b53e-0897988a1c07"> + <topic>mail/mailpit -- Cross-Site WebSocket Hijacking</topic> + <affects> +<package> +<name>mailpit</name> +<range><lt>1.28.2</lt></range> +</package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Mailpit author reports:</p> + <blockquote cite="https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm">; + <p>The Mailpit WebSocket server is configured to accept + connections from any origin. This lack of Origin header + validation introduces a Cross-Site WebSocket Hijacking + (CSWSH) vulnerability.</p> + + <p>An attacker can host a malicious website that, when + visited by a developer running Mailpit locally, establishes + a WebSocket connection to the victim's Mailpit instance + (default ws://localhost:8025). This allows the attacker + to intercept sensitive data such as email contents, + headers, and server statistics in real-time.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-22689</cvename> + <url>https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm</url>; + </references> + <dates> + <discovery>2026-01-10</discovery> + <entry>2026-01-10</entry> + </dates> + </vuln> + <vuln vid="79c3c751-ee20-11f0-b17e-50ebf6bdf8e9"> <topic>phpmyfaq -- multiple vulnerabilities</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?696297f9.39d0c.11f1a798>