What is the CVSS score of CVE-2026-41873?

CVE-2026-41873 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Apache Pony Mail are affected by CVE-2026-41873?

Apache Pony Mail (Lua implementation) contains a critical HTTP request smuggling vulnerability (CVE-2026-41873, CVSS 9.8) that allows unauthenticated attackers to completely compromise administrator…

Apache Pony Mail CVE-2026-41873

EUVD-2026-26065 CRITICAL

HTTP Request/Response Smuggling (CWE-444)

2026-04-28 security@apache.org

Python Information Disclosure Request Smuggling

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 28, 2026 - 22:22 vuln.today

cvss_changed

Analysis Generated

Apr 28, 2026 - 18:53 vuln.today

CVSS changed

Apr 28, 2026 - 18:52 NVD

9.8 (CRITICAL)

EUVD ID Assigned

Apr 28, 2026 - 16:22 euvd

EUVD-2026-26065

Analysis Generated

Apr 28, 2026 - 16:22 vuln.today

CVE Published

Apr 28, 2026 - 16:16 nvd

CRITICAL 9.8

DescriptionNVD

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover.

This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet.

As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

HTTP request smuggling in Apache Pony Mail (Lua implementation) enables remote unauthenticated attackers to achieve complete admin account takeover with critical impact across confidentiality, integrity, and availability. This affects all versions of the retired Lua codebase - Apache has abandoned support with no patch planned, recommending migration to alternative solutions. …

RemediationAI

Within 24 hours: Inventory all systems running Apache Pony Mail Lua implementation and isolate from production if possible; notify stakeholders of mandatory migration requirement. Within 7 days: Establish migration plan to an actively maintained alternative email solution (e.g., HMailServer, Mailcow, or cloud-hosted equivalents) and begin procurement. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41873 vulnerability details – vuln.today

Back

Apache Pony Mail CVE-2026-41873

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code