starred/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 00:35:51 +03:00
Code Issues Projects Releases 5 Packages Wiki Activity
5 releases 187 tags
  • v1.29.3 3a222dd147

    v1.29.3 Stable

    kerem released this 2026-03-10 05:29:51 +03:00 | 39 commits to develop since this release

    📅 Originally published on GitHub: Tue, 10 Mar 2026 02:32:01 GMT
    🏷️ Git tag created: Tue, 10 Mar 2026 02:29:51 GMT

    Security

    • Enhance CORS origin handling to respect host:port distinctions
    • Limit proxy requests to 50MB to prevent OOM attacks
    • Enhance HTML sanitization in message view
    • Enhance HTML sanitization in screenshot generation
    • Escape ContentID in HTML replacement to prevent regex injection

    Chore

    • Use last release + git hash in Docker edge versions
    • Refactor code with go fix
    • Switch to math/rand/v2
    • Refactor API send authentication logic
    • Refactor events websocket middleware
    • Set timeout for HTTP client in webhook Send function
    • Use local hostname for EHLO/HELO in SMTP communication
    • Simplify HTML decoding function in screenshot generation using DOMParser
    • Set margin & padding to HTML screenshot to prevent transparent top/left border
    • Replace localStorage retrieval with a dedicated function for default release addresses
    • Limit subject length to 100 characters in browser notifications
    • Improve transaction handling in pruneMessages and fix loop continuation in InitDB
    • Update Content-Disposition header to use inline display and escape filename
    • Refactor timezone handling in searchQueryBuilder
    • Update Go dependencies
    • Update node dependencies

    Fix

    • Update SQL query to use tenant when using is:tagged filter
    Downloads
  • v1.29.2 dc3e7e701f

    v1.29.2 Stable

    kerem released this 2026-02-25 02:28:48 +03:00 | 66 commits to develop since this release

    📅 Originally published on GitHub: Tue, 24 Feb 2026 23:31:43 GMT
    🏷️ Git tag created: Tue, 24 Feb 2026 23:28:48 GMT

    This release includes an important security fix, so upgrading is strongly recommended.

    This security release fixes CVE-2026-27808: users could use the Link Check API to probe internal network IPs/hostnames. The exploit required user access to both the API and the SMTP server, so the risk is limited to users who have publicly-accessible Mailpit instances with no authentication on both the API and SMTP server.

    Key change:

    • New opt-in flag: --allow-internal-http-requests (env MP_ALLOW_INTERNAL_HTTP_REQUESTS=true). When enabled, the Link Check API and UI screenshot proxy may access internal-network IPs.

    Action required:

    • This is potentially breaking for test suites that depend on Link Check probing internal resources - review and update tests as needed.

    A huge thanks to the security researcher (@rtvkiz) who reported this issue responsibly.

    Changelog:

    Security

    • Prevent Server-Side Request Forgery (SSRF) via Link Check API (CVE-2026-27808)

    Chore

    • Upgrade eslint JavaScript linting
    • Update Go dependencies
    • Update node dependencies
    • Update caniemail test database

    Fix

    • Update install instructions when setting INSTALL_PATH
    • Include 8BITMIME in SMTPD EHLO response (#648)
    Downloads
  • v1.29.1 5527379475

    v1.29.1 Stable

    kerem released this 2026-02-13 10:47:03 +03:00 | 78 commits to develop since this release

    📅 Originally published on GitHub: Fri, 13 Feb 2026 08:02:33 GMT
    🏷️ Git tag created: Fri, 13 Feb 2026 07:47:03 GMT

    This is a security release to resolve an upstream Go vulnerability (CVE-2025-68121).

    Chore

    • Add CORS error logging and update error messages for failed CORS requests
    • Update Go dependencies
    • Update node dependencies

    Fix

    • Enable "Mark all read" button (Inbox) when new message is received
    Downloads
  • v1.29.0 43b8ba3dc6

    v1.29.0 Stable

    kerem released this 2026-02-01 06:12:04 +03:00 | 88 commits to develop since this release

    📅 Originally published on GitHub: Sun, 01 Feb 2026 03:13:50 GMT
    🏷️ Git tag created: Sun, 01 Feb 2026 03:12:04 GMT

    Feature

    • Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary
    • Option to display/hide attachment information in message view in web UI including checksums, content type & disposition

    Chore

    • Add support for multi-origin CORS settings and apply to events websocket (#630)
    • Add support for webhook delay (#627)
    • Update Go dependencies
    • Update node dependencies

    Test

    • Add CORS tests
    • Add message summary attachment checksum tests
    Downloads
  • v1.28.4 f33f9bec2d

    v1.28.4 Stable

    kerem released this 2026-01-25 00:07:38 +03:00 | 103 commits to develop since this release

    📅 Originally published on GitHub: Sat, 24 Jan 2026 21:08:56 GMT
    🏷️ Git tag created: Sat, 24 Jan 2026 21:07:38 GMT

    Chore

    • Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#620)
    • Update Go dependencies
    • Update node dependencies

    Fix

    • Ensure SMTP HELO/EHLO command is issued before MAIL as per RFC 5321 (#621)
    • Prevent nested MAIL command during an active SMTP transaction (#623)
    • Avoid error on image type assertion in thumbnail generation
    Downloads