CVE-2026-41873
CRITICALDescription
** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| apache | pony_mail |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2026-41873? +
How severe is CVE-2026-41873? +
What products are affected by CVE-2026-41873? +
How do I check if I'm vulnerable to CVE-2026-41873? +
Related Vulnerabilities
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing …
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Quest Coexistence Manager for Notes (Free/Busy Connector modules) allows HTTP …
Connection desynchronization between an HTTP proxy and the model backend. The fixes were rolled out for all proxies in front …
Member Login Script 3.3 contains a client-side desynchronization vulnerability that allows attackers to manipulate HTTP request handling by exploiting Content-Length …
An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade …
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to …