Skip to main content

smtp-server CVE-2026-38728

| EUVD-2026-30546 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-15 cve@mitre.org GHSA-fv2f-rw9f-v9cm
Denial Of Service
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
May 15, 2026 - 17:31 vuln.today
Analysis Generated
May 15, 2026 - 17:31 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
May 15, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components

AnalysisAI

Memory exhaustion vulnerability in Nodemailer smtp-server before v3.18.3 enables remote denial of service attacks through unbounded command line processing. The vulnerability allows unauthenticated attackers to crash SMTP services by sending oversized commands that exhaust server memory. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all systems running Nodemailer smtp-server and identify versions prior to v3.18.3; implement network-level rate limiting and command size restrictions on SMTP ports. Within 7 days: Deploy input validation middleware to reject oversized SMTP commands and configure memory limits on smtp-server processes; test failover email routing. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-38728 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy