Home / Vulnerability Intelligence / CVE-2026-41873

CVE-2026-41873 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 28, 2026

Pony Mail - Authentication Bypass

Published: April 28, 2026Updated: April 28, 2026Remote Exploitable

Overview

Pony Mail Lua implementation contains an HTTP request smuggling vulnerability caused by inconsistent interpretation of HTTP requests, letting attackers take over admin accounts, exploit requires access to the vulnerable instance.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can take over admin accounts, leading to full administrative control of the system.

Mitigation

No fix available; users should find an alternative or restrict access to trusted users.

References

https://lists.apache.org/thread/1c7jtxjobh280kqc13fzw1cg57xrz951

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41873
Severity: Critical
CVSS Score: 9.8
Type: http_request_smuggling
Status: confirmed

CWE

CWE-444

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H