CVE-2026-27492 (GCVE-0-2026-27492)

Vulnerability from cvelistv5 – Published: 2026-02-21 10:16 – Updated: 2026-02-24 18:08
VLAI?
Title
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
Summary
Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.
Severity ?
4.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-488 - Exposure of Data Element to Wrong Session
Assigner
References
Impacted products
Vendor Product Version
lettermint lettermint-node Affected: < 1.5.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27492",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-24T18:08:16.795387Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-24T18:08:44.011Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lettermint-node",
          "vendor": "lettermint",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence \u2014 such as transactional flows like password resets or notifications \u2014 are affected. This issue has been fixed in version 1.5.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-488",
              "description": "CWE-488: Exposure of Data Element to Wrong Session",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-21T10:16:03.913Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp"
        },
        {
          "name": "https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1"
        },
        {
          "name": "https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20"
        }
      ],
      "source": {
        "advisory": "GHSA-49pc-8936-wvfp",
        "discovery": "UNKNOWN"
      },
      "title": "Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27492",
    "datePublished": "2026-02-21T10:16:03.913Z",
    "dateReserved": "2026-02-19T19:46:03.541Z",
    "dateUpdated": "2026-02-24T18:08:44.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27492\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-21T11:15:57.287\",\"lastModified\":\"2026-02-24T15:00:44.600\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence \u2014 such as transactional flows like password resets or notifications \u2014 are affected. This issue has been fixed in version 1.5.1.\"},{\"lang\":\"es\",\"value\":\"El SDK de Node.js de Lettermint es el SDK oficial de Node.js para Lettermint. En las versiones 1.5.0 e inferiores, las propiedades del correo electr\u00f3nico (como \u0027para\u0027, \u0027asunto\u0027, \u0027html\u0027, \u0027texto\u0027 y \u0027archivos adjuntos\u0027) no se restablecen entre env\u00edos cuando una \u00fanica instancia de cliente se reutiliza en m\u00faltiples llamadas a .send(). Esto puede provocar que las propiedades de un env\u00edo anterior se filtren en uno posterior, entregando potencialmente contenido o direcciones de destinatarios a partes no deseadas. Las aplicaciones que env\u00edan correos electr\u00f3nicos a diferentes destinatarios en secuencia \u2014 como flujos transaccionales como restablecimientos de contrase\u00f1a o notificaciones \u2014 se ven afectadas. Este problema ha sido solucionado en la versi\u00f3n 1.5.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-488\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lettermint:lettermint:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.5.1\",\"matchCriteriaId\":\"20B84381-74A5-4D57-91F0-5626B5462944\"}]}]}],\"references\":[{\"url\":\"https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-24T18:08:16.795387Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-24T18:08:36.104Z\"}}], \"cna\": {\"title\": \"Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused\", \"source\": {\"advisory\": \"GHSA-49pc-8936-wvfp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"lettermint\", \"product\": \"lettermint-node\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp\", \"name\": \"https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1\", \"name\": \"https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20\", \"name\": \"https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence \\u2014 such as transactional flows like password resets or notifications \\u2014 are affected. This issue has been fixed in version 1.5.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-488\", \"description\": \"CWE-488: Exposure of Data Element to Wrong Session\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-21T10:16:03.913Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-24T18:08:44.011Z\", \"dateReserved\": \"2026-02-19T19:46:03.541Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-21T10:16:03.913Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.