MidnightBSD

Advisories for nodemailer

CVE-2020-7769 HIGH

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-88,

Products Affected

Vendor Product Version
nodemailer nodemailer *
CVE-2021-23400 MEDIUM

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
report@snyk.io 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 2.8 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
nodemailer nodemailer *
CVE-2025-14874

A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
redhat advanced_cluster_management_for_kubernetes 2.0
redhat developer_hub -
redhat ceph_storage 8.0
nodemailer nodemailer *
CVE-2026-3455

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
nodemailer mailparser *