Pony Mail HTTP Request Smuggling Vulnerability Leading to Admin Account Takeover

Vulnerability

A vulnerability allowing admin account takeover via HTTP request/response smuggling has been identified in Pony Mail's Lua implementation, affecting all versions. This vulnerability arises from an inconsistent interpretation of HTTP requests, which can be exploited to manipulate request handling and potentially gain unauthorized administrative access. While a Python implementation called 'Pony Mail Foal' is in development and not affected by this issue, it has not yet been released. Users of the Lua version are advised to seek alternatives or limit access to trusted users, as this version is no longer supported by the maintainer.

Impact

Exploitation of this vulnerability allows for unauthorized takeover of admin accounts on the affected Pony Mail instance.

Added: Apr 28, 2026, 4:57 PM

Updated: Apr 28, 2026, 4:57 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.1

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.1

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pony Mail HTTP Request Smuggling Vulnerability Leading to Admin Account Takeover

Vulnerability

Impact

Affected Products

Apache Pony Mail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating