CVE-2026-27492: Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
(updated )
Email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected.
References
- github.com/advisories/GHSA-49pc-8936-wvfp
- github.com/lettermint/lettermint-node
- github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md
- github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1
- github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp
- nvd.nist.gov/vuln/detail/CVE-2026-27492
Code Behaviors & Features
Detect and mitigate CVE-2026-27492 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →