CVE-2026-41873

Daily digests

The Lua version of Apache Pony Mail has an HTTP request smuggling bug that lets an attacker take over admin accounts. Here's the catch: the project is retired and there will be no fix. The replacement ("Pony Mail Foal," written in Python) isn't affected but also isn't officially released yet. CVSS 9.8.

• Daily Digest · Apr 29, 2026

  Chrome sandbox escape + 4 critical 9.8s