CVE-2026-50878: An issue in the attachment handling component of Feuerhamster MailForm v1
An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A denial-of-service vulnerability exists in the attachment handling component of Feuerhamster MailForm v1.1.0. The flaw is reachable over the network without any authentication, and an attacker can trigger it by sending a crafted request to the affected endpoint. Successful exploitation crashes or renders the MailForm service unavailable. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched rebuild the moment upstream ships a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Feuerhamster MailForm.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine breach-of-threshold status; findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.
AvailableBecause no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, the finding remains open and visible in the affected environment's vulnerability queue.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable attachment handling endpoint is exposed over the network, so an attacker must be able to reach it via HTTP or any other transport the service listens on.
- AuthenticationNot required
No account or credential is needed; the crafted request can be sent anonymously.
- Victim interactionNot required
The attacker does not need to trick or involve any user; the request alone is sufficient to trigger the denial of service.
- Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory layout requirements, or environmental factors need to align for the attack to succeed.
Blast Radius
- The MailForm service becomes unresponsive or crashes, preventing legitimate users from submitting contact or inquiry forms.
- Depending on deployment topology, a sustained stream of crafted requests keeps the service down for the duration of the attack.
- If MailForm runs in a shared container alongside other application components, resource exhaustion may degrade or disrupt neighboring processes.
How HarborGuard Handles This
Available on HarborGuard: any image containing Feuerhamster MailForm v1.1.0 that is scanned through a connected registry or pipeline will surface this CVE as a HIGH-severity open finding scored at CVSS 7.5. Because no upstream fix exists, HarborGuard monitors the advisory on every ingest cycle and will generate a patched-image rebuild automatically once a fix version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While no patch is available, recommended compensating controls include restricting network access to the MailForm endpoint via Kubernetes network policy or an equivalent layer-4 rule, applying rate-limiting or request-size caps at the ingress or load balancer level to reduce the effectiveness of crafted-request floods, and considering temporary feature-flag or route-level gating of the attachment upload path if that functionality is not business-critical.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H