CVE-2026-41873CRITICAL 9.8EPSS p35.2%

CVE-2026-41873CVE-2026-41873

Description

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 35.2% · 2026-06-19T12:03:05Z
Published2026-04-28
Last modified2026-04-29

Underlying weaknesses· 1

CWE-444

References

  1. https://lists.apache.org/thread/1c7jtxjobh280kqc13fzw1cg57xrz951
  2. http://www.openwall.com/lists/oss-security/2026/04/28/17

1

TypeTargetConfidenceTier
WeaknessInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')cwe-4440%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-70948
CVE
CVE-2026-32616
CVE
CVE-2026-41964
CVE
CVE-2026-40687
CVE
CVE-2025-24861
CVE
CVE-2025-55315
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.