apprise is vulnerable to Improper Certificate Validation
45
Medium Risk
The email plugin opens SMTPS and STARTTLS connections without passing an ssl context, so smtplib falls back to an unverified stdlib context that does not validate the certificate chain or hostname. The URL-level verify_certificate setting, which defaults to enabled, is silently ignored for the SMTP TLS handshake, so a self-signed or hostname-mismatched certificate is accepted before credentials or message data are sent. An attacker able to intercept or redirect SMTP traffic can present an untrusted certificate, complete the handshake, and capture SMTP credentials and notification contents. The fix builds an ssl context from verify_certificate and passes it to both SMTP_SSL and starttls.
You are affected if you are using a version that falls within the vulnerable range and you send notifications over SMTPS or STARTTLS email (mailtos://) connections.
apprise is vulnerable to Improper Certificate Validation in versions 0.0.1 - 1.11.0.
Upgrade the apprise library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant