Mailpit

by Ralph Slootenv1.29.5

Last updated Jun 8, 2026

An email and SMTP testing tool with API for developers

Install with winget

$ winget install --id axllent.mailpit --exact --version 1.29.5

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

About

Mailpit is a small, fast, low memory, zero-dependency, multi-platform email testing tool & API for

developers.

It acts as an SMTP server, provides a modern web interface to view & test captured emails, and

includes an API for automated integration testing.

Mailpit was originally inspired by MailHog which is no longer maintained and hasn't seen active

development or security updates for a few years now.

Installers · v1.29.5

Architecture	Type	Scope	Install	Download
x64	ZIP archive	-		Direct
arm64	ZIP archive	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

5 known CVEs via NVD

medium5.8Patched in wingetCVE-2026-27808affects before 1.29.2Feb 25, 2026
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating ta...
Patch Vendor advisory
medium5.8Patched in wingetCVE-2026-23845affects before 1.28.3Jan 19, 2026
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. Du...
Patch Vendor advisory
medium5.3Patched in wingetCVE-2026-23829affects before 1.28.3Jan 18, 2026
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers...
Patch
medium6.5Patched in wingetCVE-2026-22689affects before 1.28.2Jan 9, 2026
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacke...
Patch Vendor advisory
medium5.8Patched in wingetCVE-2026-21859affects before 1.28.1Jan 7, 2026
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:/...
Patch Vendor advisory

Source: NVD, updated 1h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

Ente Authente
ente-io.auth-desktopv4.4.23
Open source 2FA authenticator, with end-to-end encrypted backups.
O
Ollama (Portable)Ollama
Ollama.Ollama.Portablev0.20.2
Start building with open models.
butaneFedora Project
Fedora.CoreOS.butanev0.28.0
Butane translates human-readable Butane Configs into machine-readable Ignition Configs.
T
TrivyAqua Security Software
AquaSecurity.Trivyv0.71.0
Trivy is a comprehensive and versatile security scanner.
RcloneRclone
Rclone.Rclonev1.74.3
Rclone ("rsync for cloud storage") is a command-line program to sync files and directories to and from different cloud storage providers.
S
Secrets OPerationSMozilla
Mozilla.SOPSv3.7.3
Simple and flexible tool for managing secrets

More from Ralph Slooten or browse email-testing, go, golang.

Frequently asked questions

How do I install Mailpit on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id axllent.mailpit --exact --version 1.29.5. winget downloads the installer from Ralph Slooten and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Mailpit silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id axllent.mailpit --exact 1.29.5 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall Mailpit via winget?

Run: winget uninstall --id axllent.mailpit --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Mailpit's Apps & Features entry.

Is Mailpit free?

Mailpit is distributed under MIT. Refer to the publisher (https://github.com/axllent/mailpit) for the full license terms - Wingetly itself does not charge for installation.

Does Mailpit work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Mailpit directly from the publisher.

How do I keep Mailpit up to date?

Run winget upgrade --id axllent.mailpit --exact, or winget upgrade --all to update everything winget tracks. We index 1 version of Mailpit from microsoft/winget-pkgs.