Critical severity9.1NVD Advisory· Published Apr 5, 2024· Updated Apr 15, 2026

CVE-2024-27448

Description

MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
maildevnpm	>= 2.0.0-beta1, <= 2.1.0	—

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vc6q-ccj9-9r89ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-27448ghsaADVISORY
gist.github.com/stypr/fe2003f00959f7e3d92ab9d5260433f8nvdWEB
github.com/maildev/maildev/issues/467nvdWEB
intrix.com.au/articles/exposing-major-security-flaw-in-maildevnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.010
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000