This release includes an important security fix, so upgrading is strongly recommended.
This is a security release to address CVE-2026-21859. Please note that although previous versions of Mailpit are vulnerable to SSRF attacks via the screenshot proxy, the proxy itself is limited to HTTP GET requests, and only relays some HTTP headers from the proxied server, reducing the attack surface. In addition to this, internet-exposed Mailpit instances should be protected using Basic Authentication, meaning the proxy itself should not be accessible to unauthenticated users.
This release limits all proxied screenshot requests to only those assets (images, fonts & CSS stylesheet links) that are actually referenced within the email message being viewed. All proxy requests to URLs not found within the message, proxied responses returning different content types (such as text/html), or proxied HTTP responses that do not return 2xx response codes will now return a generic HTTP error response. This makes it significantly more difficult to exploit the proxy for SSRF attacks, while still allowing legitimate assets to be loaded via the proxy for screenshot generation.
A huge thanks to the security researcher who reported this issue responsibly (@omarkurt).
Security
- Restrict screenshot proxy to only support asset links contained in messages CVE-2026-21859
Chore
- Bump actions/checkout from 5 to 6 (#610)
- Bump actions/cache from 4 to 5 (#607)
- Bump actions/stale from 10.0.0 to 10.1.1 (#604)
- Bump actions/setup-node from 5 to 6 (#598)
- Bump esbuild from 0.25.12 to 0.27.2 (#611)
- Update Go dependencies
- Update node dependencies
Test
- Add inline message tests
- Increase swagger test timeout