VYPR

npm package

haraka

pkg:npm/haraka

Vulnerabilities (2)

  • CVE-2026-34752HigApr 2, 2026
    affected < 3.1.4fixed 3.1.4

    Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.

  • CVE-2016-1000282Feb 5, 2019
    affected < 2.8.9fixed 2.8.9

    Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection.