MEDIUM 5.4 npm
GHSA-268h-hp4c-crq3 Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
Modified: 6/15/2026
package
npm / nodemailer
pkg:npm/nodemailer
CRITICAL 9.8 npm
GHSA-48ww-j4fc-435p · CVE-2020-7769 Command injection in nodemailer
Modified: 1/14/2025
MEDIUM 5.3 npm
GHSA-9h6g-pr28-7cqp nodemailer ReDoS when trying to send a specially crafted email
Modified: 9/3/2025
LOW npm
GHSA-c7w3-x93f-qmm8 Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter
Modified: 4/6/2026
MEDIUM 6.3 npm
GHSA-hwqf-gcqm-7353 · CVE-2021-23400 Header injection in nodemailer
Modified: 1/14/2025
MEDIUM npm
GHSA-mm7p-fcc7-pg87 · CVE-2025-13033 Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
Modified: 2/4/2026
MEDIUM 6.5 npm
GHSA-r7g4-qg5f-qqm2 Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
Modified: 6/15/2026
HIGH 7.5 npm
GHSA-rcmh-qjqh-p98v · CVE-2025-14874 Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
Modified: 3/14/2026
MEDIUM 4.9 npm
GHSA-vvjj-xcjg-gr5g Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
Modified: 4/9/2026
MEDIUM 5.4 npm
GHSA-wqvq-jvpq-h66f Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
Modified: 6/15/2026