136 matches found
Malicious code in chalk-plus-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1 Package is published under a name riding the popular chalk color-output library but its source tree, README, main entry lib/nodemailer.js, and lib...
MAL-2026-5711 Malicious code in chalk-pro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce Package is published as 'chalk-pro' homepage chalk-pro.com but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both...
Malicious code in chalk-pro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce Package is published as 'chalk-pro' homepage chalk-pro.com but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both...
MAL-2026-5710 Malicious code in chalk-plus-ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That...
Malicious code in chalk-plus-ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That...
ROOT-APP-NPM-GHSA-VVJJ-XCJG-GR5G GHSA-vvjj-xcjg-gr5g in @rootio/nodemailer - Patched by Root
Root has patched GHSA-vvjj-xcjg-gr5g in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...
CVE-2026-38728
An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...
ROOT-APP-NPM-CVE-2025-14874 CVE-2025-14874 in @rootio/nodemailer - Patched by Root
Root has patched CVE-2025-14874 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...
CVE-2026-38728
An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...
CVE-2026-38728
The vulnerability CVE-2026-38728 affects Nodemailer smtp_server prior to version 3.18.3. The issue is triggered in the SMTPStream._write implementation (lib/smtp-stream.js), allowing a remote attacker to cause a denial of service. Impact is a DoS on the SMTP server component mentioned. The root c...
CVE-2026-38728
An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...
PT-2026-41303
An issue in Nodemailer smtp server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream. write, lib/smtp-stream.js components...
EUVD-2026-30546
An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...
CVE-2026-38728
An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...
CVE-2026-38728
An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...
ROOT-APP-NPM-CVE-2025-13033 CVE-2025-13033 in @rootio/nodemailer - Patched by Root
Root has patched CVE-2025-13033 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...
GHSA-VVJJ-XCJG-GR5G Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters \r\n. A...
CRLF Injection
Overview nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to CRLF Injection via the name configuration configuration option. An attacker can inject arbitrary SMTP commands by supplying carriage return and line feed...
06-03-5 (=1.0.0), 80cents (>=0.3.4 <=0.4.24) +2103 more potentially affected by unknown CVE via nodemailer (>=8.0.0 <=8.0.4)
nodemailer NPM version =8.0.0, =0.3.4, =0.1.0, =1.0.0, =1.16.0-feature-320605-mfchyhti, =1.0.1-develop-7a7ecd-mffcpgol, =1.17.13-beta-20260512-004004-69bacba8, =0.1.0, =0.0.0-nightly-20240619-f62ef04, =1.5.0, =2.0.2, =3.4.3 and more Source cves: unknown CVE Source advisory:...
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters \r\n. A...