v1.29.7

This is just a security release to update all Go, node and docker image dependencies.

Chore

• Bump vue-router from 4.6.4 to 5.0.4
• Bump axios version to 1.15.0
• Update Go dependencies
• Update node dependencies

v1.29.6

Chore

• Bump docker/login-action from 3 to 4 (#670)
• Bump actions/stale from 10.1.1 to 10.2.0 (#669)
• Bump docker/setup-buildx-action from 3 to 4 (#668)
• Bump docker/setup-qemu-action from 3 to 4 (#666)
• Bump docker/build-push-action from 6 to 7 (#665)
• Update Go dependencies
• Update node dependencies

Fix

• Version check logic in version command and self updater (#673)

v1.29.5

Security

• Add sandbox attribute to message iframe for extra layer of security (already protected via CSP headers)

Feature

• Add option to disable auto-VACUUMing of the SQLite database (#661)

Chore

• Update Go dependencies
• Update node dependencies

v1.29.4

[v1.29.4]

Feature

• Add filter functionality to message headers tab

Chore

• Update Go dependencies
• Update node dependencies

Fix

• Refactor webhook delay & rate limit logic to ignore endpoint response times & prevent hardcoded 1000 message limit when set to 0 (#656)

v1.29.3

Security

• Enhance CORS origin handling to respect host:port distinctions
• Limit proxy requests to 50MB to prevent OOM attacks
• Enhance HTML sanitization in message view
• Enhance HTML sanitization in screenshot generation
• Escape ContentID in HTML replacement to prevent regex injection

Chore

• Use last release + git hash in Docker edge versions
• Refactor code with go fix
• Switch to math/rand/v2
• Refactor API send authentication logic
• Refactor events websocket middleware
• Set timeout for HTTP client in webhook Send function
• Use local hostname for EHLO/HELO in SMTP communication
• Simplify HTML decoding function in screenshot generation using DOMParser
• Set margin & padding to HTML screenshot to prevent transparent top/left border
• Replace localStorage retrieval with a dedicated function for default release addresses
• Limit subject length to 100 characters in browser notifications
• Improve transaction handling in pruneMessages and fix loop continuation in InitDB
• Update Content-Disposition header to use inline display and escape filename
• Refactor timezone handling in searchQueryBuilder
• Update Go dependencies
• Update node dependencies

Fix

• Update SQL query to use tenant when using is:tagged filter

v1.29.2

This release includes an important security fix, so upgrading is strongly recommended.

This security release fixes CVE-2026-27808: users could use the Link Check API to probe internal network IPs/hostnames. The exploit required user access to both the API and the SMTP server, so the risk is limited to users who have publicly-accessible Mailpit instances with no authentication on both the API and SMTP server.

Key change:

• New opt-in flag: --allow-internal-http-requests (env MP_ALLOW_INTERNAL_HTTP_REQUESTS=true). When enabled, the Link Check API and UI screenshot proxy may access internal-network IPs.

Action required:

• This is potentially breaking for test suites that depend on Link Check probing internal resources - review and update tests as needed.

A huge thanks to the security researcher (@rtvkiz) who reported this issue responsibly.

Changelog:

Security

• Prevent Server-Side Request Forgery (SSRF) via Link Check API (CVE-2026-27808)

Chore

• Upgrade eslint JavaScript linting
• Update Go dependencies
• Update node dependencies
• Update caniemail test database

Fix

• Update install instructions when setting INSTALL_PATH
• Include 8BITMIME in SMTPD EHLO response (#648)

v1.29.1

This is a security release to resolve an upstream Go vulnerability (CVE-2025-68121).

Chore

• Add CORS error logging and update error messages for failed CORS requests
• Update Go dependencies
• Update node dependencies

Fix

• Enable "Mark all read" button (Inbox) when new message is received

v1.29.0

Feature

• Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary
• Option to display/hide attachment information in message view in web UI including checksums, content type & disposition

Chore

• Add support for multi-origin CORS settings and apply to events websocket (#630)
• Add support for webhook delay (#627)
• Update Go dependencies
• Update node dependencies

Test

• Add CORS tests
• Add message summary attachment checksum tests

v1.28.4

Chore

• Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#620)
• Update Go dependencies
• Update node dependencies

Fix

• Ensure SMTP HELO/EHLO command is issued before MAIL as per RFC 5321 (#621)
• Prevent nested MAIL command during an active SMTP transaction (#623)
• Avoid error on image type assertion in thumbnail generation

v1.28.3

This release includes two important security fixes, so upgrading is recommended.

This is a security release which addresses two separate moderate security advisories (see below). A huge thanks to the security researchers (@omarkurt & @mdisec) who reported this issue responsibly.

The release also includes a few bug fixes, dependency updates, and test improvements.

Security

• Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
• Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Chore

• Fix formatting and update reporting instructions in SECURITY.md (#614)
• Allow @ character in message tags & set max length to 100 characters per tag
• Update Go dependencies
• Update node dependencies

Fix

• Correctly render default addresses in release modal after settings change (#594)
• Correctly detect macOS group in install.sh (#619)
• Auto-tagging using SMTP username using plain auth (#617)
• Validate maximum lengths of email addresses - RFC5321 (section 4.5.3.1)

Test

• Update tag tests with length limits and @ character
• Add SMTP tests for RFC 5322 address compliance and header injection
• Add maximum email length validation tests - RFC5321 (section 4.5.3.1)