Nodemailer
Products
3- Nodemailer2 CVEsnpm
- 2 CVEs
- Mailparser1 CVEnpm
Recent CVEs
5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-38728 | Hig | 0.42 | 7.5 | 0.01 | May 15, 2026 | An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components | ||
| CVE-2025-13033 | Hig | 0.42 | 7.5 | 0.01 | Nov 14, 2025 | A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to… | ||
| CVE-2026-3455 | Med | 0.33 | 6.1 | 0.00 | Mar 3, 2026 | Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the… | ||
| CVE-2001-0280 | 0.04 | — | 0.13 | May 3, 2001 | Buffer overflow in MERCUR SMTP server 3.30 allows remote attackers to execute arbitrary commands via a long EXPN command. | |||
| CVE-2025-14874 | 0.00 | — | 0.00 | Dec 18, 2025 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. |
- risk 0.42cvss 7.5epss 0.01
An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components
- risk 0.42cvss 7.5epss 0.01
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to…
- risk 0.33cvss 6.1epss 0.00
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the…
- CVE-2001-0280May 3, 2001risk 0.04cvss —epss 0.13
Buffer overflow in MERCUR SMTP server 3.30 allows remote attackers to execute arbitrary commands via a long EXPN command.
- CVE-2025-14874Dec 18, 2025risk 0.00cvss —epss 0.00
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.