CVE-2026-27492

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27492
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27492.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27492
Aliases
Published
2026-02-21T10:16:03.913Z
Modified
2026-02-24T19:35:25.527960Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
Details

Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.

Database specific 
{
    "cwe_ids": [
        "CWE-488"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27492.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/lettermint/lettermint-node

Affected ranges

Type
GIT
Repo
https://github.com/lettermint/lettermint-node
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c48821175cfcaef30874af65a6f9257f393edfde
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.5.1"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.2.0
v1.2.1
v1.3.0
v1.4.0
v1.5.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27492.json"