Lucene search
+L

154 matches found

osv
osv
added yesterday8 views

ROOT-APP-NPM-CVE-2025-13033 CVE-2025-13033 in @rootio/nodemailer - Patched by Root

Root has patched CVE-2025-13033 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

7.5CVSS5.4AI score0.00544EPSS
Exploits0
osv
osv
added yesterday5 views

ROOT-APP-NPM-GHSA-R7G4-QG5F-QQM2 GHSA-r7g4-qg5f-qqm2 in @rootio/nodemailer - Patched by Root

Root has patched GHSA-r7g4-qg5f-qqm2 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

6.1AI score
Exploits0
osv
osv
added yesterday2 views

ROOT-APP-NPM-GHSA-268H-HP4C-CRQ3 GHSA-268h-hp4c-crq3 in @rootio/nodemailer - Patched by Root

Root has patched GHSA-268h-hp4c-crq3 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

6.1AI score
Exploits0
osv
osv
added yesterday12 views

ROOT-APP-NPM-GHSA-P6GQ-J5CR-W38F GHSA-p6gq-j5cr-w38f in @rootio/nodemailer - Patched by Root

Root has patched GHSA-p6gq-j5cr-w38f in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

5.8AI score
Exploits0
osv
osv
added yesterday3 views

ROOT-APP-NPM-GHSA-VVJJ-XCJG-GR5G GHSA-vvjj-xcjg-gr5g in @rootio/nodemailer - Patched by Root

Root has patched GHSA-vvjj-xcjg-gr5g in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

4.9CVSS5.8AI score
Exploits0
osv
osv
added yesterday1 views

ROOT-APP-NPM-GHSA-WQVQ-JVPQ-H66F GHSA-wqvq-jvpq-h66f in @rootio/nodemailer - Patched by Root

Root has patched GHSA-wqvq-jvpq-h66f in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

6.1AI score
Exploits0
osv
osv
added yesterday11 views

ROOT-APP-NPM-CVE-2025-14874 CVE-2025-14874 in @rootio/nodemailer - Patched by Root

Root has patched CVE-2025-14874 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

7.5CVSS5.2AI score0.00409EPSS
Exploits1
nvd
nvd
added last week9 views

CVE-2026-59721

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILERSMTPURL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into...

7.2CVSS0.00518EPSS
Exploits0References4
cvelist
cvelist
added last week31 views

CVE-2026-59721 Hoppscotch: Admin RCE via MAILER_SMTP_URL nodemailer sendmail-transport injection

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILERSMTPURL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into...

7.2CVSS0.00518EPSS
Exploits0References4
euvd
euvd
added last week7 views

EUVD-2026-42653

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILERSMTPURL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into...

7.2CVSS6.2AI score0.00518EPSS
Exploits0References4
osv
osv
added last week3 views

CVE-2026-59721 Hoppscotch: Admin RCE via MAILER_SMTP_URL nodemailer sendmail-transport injection

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILERSMTPURL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into...

7.2CVSS6.3AI score0.00518EPSS
Exploits0References6
ossf
ossf
added 2026/07/01 7:15 p.m.13 views

Malicious code in vitest-agent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0165cbb3d6ed37a96889c4b016463706346e1c09413635c31ea1ceedde8774 The package's postinstall script node lib/utils/index.js spawns a detached, stdio-suppressed Node child process that runs...

5.9AI score
Exploits0References4
osv
osv
added 2026/07/01 7:15 p.m.8 views

MAL-2026-6710 Malicious code in vitest-agent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0165cbb3d6ed37a96889c4b016463706346e1c09413635c31ea1ceedde8774 The package's postinstall script node lib/utils/index.js spawns a detached, stdio-suppressed Node child process that runs...

5.9AI score
Exploits0References4
osv
osv
added 2026/06/18 2:28 p.m.28 views

GHSA-P6GQ-J5CR-W38F Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message

Message-level raw option bypasses disableFileAccess / disableUrlAccess, enabling arbitrary file read and full-response SSRF in the sent message - Target: nodemailer/nodemailer, npm nodemailer v9.0.0 HEAD 4e58450eb490e5097a74b2b2cce35a8d9e21856e - Verdict: CONFIRMED local PoC, no network Summary...

7.1CVSS5.6AI score
Exploits0References2
ossf
ossf
added 2026/06/16 3:2 a.m.17 views

Malicious code in vitest-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39810890a1ffc946b3da439738fb619eab1613a775a308d6f248b80b38ce5603 Package vitest-pro is a namespace-abuse lure: its name suggests a vitest extension, but its source tree, README, and main entry lib/nodemailer.js are...

5.3AI score
Exploits0References2
osv
osv
added 2026/06/15 5:36 p.m.16 views

GHSA-268H-HP4C-CRQ3 Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection

Summary Nodemailer constructs List- headers from the caller-provided list message option using internally prepared header values. The list..comment field is inserted into those prepared values without removing CR \r or LF \n characters. Because prepared headers bypass the normal header-value...

5.4CVSS6.1AI score
Exploits0References2
github
github
added 2026/06/15 5:36 p.m.71 views

Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection

Summary Nodemailer constructs List- headers from the caller-provided list message option using internally prepared header values. The list..comment field is inserted into those prepared values without removing CR \r or LF \n characters. Because prepared headers bypass the normal header-value...

6.1AI score
Exploits0References2Affected Software1
osv
osv
added 2026/06/15 5:35 p.m.12 views

GHSA-WQVQ-JVPQ-H66F Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization

Summary Nodemailer's disableFileAccess and disableUrlAccess options are intended to prevent message content and attachments from reading local files or fetching URLs. The normal MIME streaming path enforces those options in MimeNode.getStream. However, jsonTransport serializes messages by calling...

5.4CVSS5.5AI score
Exploits0References2
osv
osv
added 2026/06/15 5:34 p.m.30 views

GHSA-R7G4-QG5F-QQM2 Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception

Summary Nodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js. As a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over...

6.5CVSS5.7AI score
Exploits0References2
github
github
added 2026/06/15 5:34 p.m.32 views

Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception

Summary Nodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js. As a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over...

5.6AI score
Exploits0References2Affected Software1
Rows per page
Query Builder