CVE-2026-41873

UNKNOWN 0.0

Pony Mail: Admin account takeover via request smuggling

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE	CWE-444
Vendor	apache software foundation
Product	pony mail
Published	Apr 28, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation pony mail

Be the first to know when new unknown vulnerabilities affecting apache software foundation pony mail are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Pony Mail

0 ≤ *

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/1c7jtxjobh280kqc13fzw1cg57xrz951

Credits

Li Jiantao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs_sg) Tevel Sho of STAR Labs SG Pte. Ltd