34 matches found
CVE-2026-34752
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with proto: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4...
CVE-2026-34752
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with proto: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4...
CVE-2026-34752 Haraka affected by DoS via `__proto__` email header
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with proto: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4...
CVE-2026-34752
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with proto: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4...
CVE-2026-34752
CVE-2026-34752 is not resolved here; connected advisory GHSA-XPH3-R2JF-4VP3 documents a DoS in Haraka caused by parsing a header named proto . The header parser stores headers in a plain object; when the header key is proto , a prototype property path is taken, leading to a TypeError and triggeri...
CVE-2026-34752 Haraka affected by DoS via `__proto__` email header
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with proto: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4...
Haraka 安全漏洞
Haraka is an open-source SMTP email server developed by Haraka. Versions of Haraka prior to 3.1.4 contained security vulnerabilities. These vulnerabilities occurred when sending emails with proto as the header name, which could lead to the crash of the working process...
Uncaught Exception
Overview Haraka is an email server with a modular plugin architecture. Affected versions of this package are vulnerable to Uncaught Exception in the header parsing. An attacker can cause the server process to crash by sending an email with a specially crafted header name such as proto, which...
Haraka affected by DoS via `__proto__` email header
Summary Sending an email with proto: as a header name crashes the Haraka worker process. Details The header parser at nodemodules/haraka-email-message/lib/header.js:215-218 stores headers in a plain object: javascript addheaderkey, value, method this.headerskey ??= // line 216 this.headerskeymeth...
GHSA-XPH3-R2JF-4VP3 Haraka affected by DoS via `__proto__` email header
Summary Sending an email with proto: as a header name crashes the Haraka worker process. Details The header parser at nodemodules/haraka-email-message/lib/header.js:215-218 stores headers in a plain object: javascript addheaderkey, value, method this.headerskey ??= // line 216 this.headerskeymeth...
PT-2026-29673
Summary Sending an email with proto : as a header name crashes the Haraka worker process. Details The header parser at node modules/haraka-email-message/lib/header.js:215-218 stores headers in a plain object: javascript add headerkey, value, method this.headerskey ??= // line 216...
@bgord/bun (>=1.0.2 <=1.2.4), @devix-tecnologia/utils-ts (=1.0.0) +38 more potentially affected by CVE-2025-14874 via nodemailer (=7.0.10)
nodemailer NPM version =7.0.10 is affected by a known vulnerability. The following packages have a transitive dependency on nodemailer and may be impacted: - @bgord/bun =1.0.2, =32.0.0, =4.0.1, =4.9.5, =8.0.1, =8.0.2, =11.3.0, =5.8.38, =1.9.0, =2.1.6, =1.8.0, =0.3.2, =2.17.15 and more Source cves...
MAL-2025-22190 Malicious code in haraka-plugin-footer (npm)
The package haraka-plugin-footer was found to contain malicious code...
Malicious code in haraka-plugin-footer (npm)
The package haraka-plugin-footer was found to contain malicious code...
@blackdark/hashicorp-js-releases (=1.4.7), @cythral/renovate (>=0.1.6 <=0.1.7) +6 more potentially affected by CVE-2023-41037 via openpgp (>=5.0.0 <=5.0.1)
openpgp NPM version =5.0.0, =0.1.6, =1.1.15, =1.1.46, =1.32.0, =27.10.0, =1.35.0, =1.29.0, =1.30.0 Source cves: CVE-2023-41037 Source advisory: OSV:GHSA-CH3C-V47X-4PGP...
RCE affecting Windows hosts via UNC paths to translation files
This is a security release. SECURITY Fixes CVE-2021-34551, a complex RCE affecting Windows hosts. See SECURITY.md for details. The fix for this issue changes the way that language files are loaded. While they remain in the same PHP-like format, they are processed as plain text, and any code in th...
Untrusted code may be run from an overridden address validator
This is a security release. SECURITY Fixes CVE-2021-34551, a complex RCE affecting Windows hosts. See SECURITY.md for details. The fix for this issue changes the way that language files are loaded. While they remain in the same PHP-like format, they are processed as plain text, and any code in th...
GHSA-W5M8-5V9M-XHX5 Critical severity vulnerability that affects Haraka
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection...
Critical severity vulnerability that affects Haraka
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection...
CVE-2016-1000282
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection...