Main Vulnerability Database SB2026040859

SB2026040859 - CRLF injection in nodemailer

Published: April 8, 2026

Security Bulletin ID SB2026040859

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) CRLF injection (CVE-ID: N/A)

The vulnerability allows a remote user to inject arbitrary SMTP commands.

The vulnerability exists due to improper neutralization of CRLF sequences in the transport name option in lib/smtp-connection/index.js when constructing EHLO, HELO, or LHLO commands. A remote privileged user can supply a specially crafted name value containing CRLF sequences to inject arbitrary SMTP commands.

The issue occurs during SMTP connection initialization before the application's intended message commands are processed.

Remediation

Install update from vendor's website.

References

https://github.com/nodemailer/nodemailer/security/advisories/GHSA-vvjj-xcjg-gr5g
https://github.com/advisories/GHSA-vvjj-xcjg-gr5g