CVE-2026-27492
MEDIUM
GHSA-49pc-8936-wvfp
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Tags
Description
Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence - such as transactional flows like password resets or notifications - are affected. This issue has been fixed in version 1.5.1.
Analysis
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today