CVE-2022-50908
Stored XSS in Mailhog 1.0.1 Enables Arbitrary API Calls
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mailhog | mailhog | 1.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50908 is a stored Cross-Site Scripting (XSS) vulnerability in Mailhog version 1.0.1. Attackers can inject malicious scripts through email attachments by sending specially crafted emails containing XSS payloads. When a victim opens such an email, the malicious script executes in their browser, allowing the attacker to perform arbitrary API calls on the Mailhog server, such as deleting messages or manipulating the browser. This happens because Mailhog's API lacks authentication and CSRF protections, enabling attackers to exploit the stored XSS to gain unauthorized control. [3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary API calls on your Mailhog instance without authentication. They can delete, send, or read emails, manipulate the browser of a user who opens the malicious email, and potentially gain further control over the victim's environment. This can lead to loss of email data, unauthorized actions on the Mailhog server, and browser-based attacks against users. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can check if Mailhog version 1.0.1 is running on your system or network. Since the vulnerability involves stored XSS via email attachments and unrestricted API access on localhost at port 8025, you can verify if the Mailhog API is accessible without authentication. For example, you can use curl commands to test API endpoints: 1) Check if Mailhog API is accessible: curl -i http://localhost:8025/api/v1/messages 2) Attempt to send a test request to see if API calls can be made without authentication. Additionally, scanning your network for Mailhog instances on common ports (such as 8025 for the web UI) can help identify exposed services. Using tools like Shodan to find exposed Mailhog instances or local network scanning tools (nmap) to detect Mailhog services on ports like 8025 can also help. However, no specific detection commands for the XSS payload injection are provided in the resources. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the Mailhog web UI and API, especially on port 8025, by implementing network-level access controls or firewall rules to prevent unauthorized access. 2) Disable or restrict Mailhog usage in production environments, as it is primarily a testing tool. 3) Apply updates or patches if available; since the vulnerability affects Mailhog version 1.0.1, upgrading to a fixed version (if released) is recommended. 4) Implement authentication and CSRF protections on the Mailhog API to prevent unauthorized API calls. 5) Educate users to avoid opening suspicious email attachments that could contain malicious scripts. Since Mailhog's API lacks authentication and CSRF protections, securing access and limiting exposure is critical. [3, 4]