CVEInsight.

Free vulnerability intelligence for developers, security teams, and researchers. Data sourced from public databases for informational purposes only.

Explore

Legal

CVE data sourced from NVD / NIST & public disclosures.

Search Vulnerabilities

Software

Searching vulnerabilities affecting “nodemailer”

6 vulnerabilities found for “nodemailer”

CVE-2026-3455

MEDIUM6.1

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

nodemailer / mailparser

Network

Published Mar 3, 2026

CVE-2025-14874

HIGH7.5

A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

nodemailer / nodemailer+3

Network

Published Dec 18, 2025

CVE-2021-23400

MEDIUM6.3

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

nodemailer / nodemailer

Network

Published Jun 29, 2021

CVE-2020-7769

HIGH8.6

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

nodemailer / nodemailer

Network

Published Nov 12, 2020

CVE-2017-16072

HIGH7.5

nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemailer.js_project / nodemailer.js

Network

Published Jun 7, 2018

CVE-2017-16071

HIGH7.5

nodemailer-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemailer-js_project / nodemailer-js

Network

Published Jun 7, 2018