npm package
haraka
pkg:npm/haraka
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34752 | Hig | 7.5 | < 3.1.4 | 3.1.4 | Apr 2, 2026 | Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4. | |
| CVE-2016-1000282 | — | < 2.8.9 | 2.8.9 | Feb 5, 2019 | Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection. |
- affected < 3.1.4fixed 3.1.4
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
- CVE-2016-1000282Feb 5, 2019affected < 2.8.9fixed 2.8.9
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection.