Description
Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.
Published: 2026-02-21
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unintended email data leakage
Action: Apply Update
AI Analysis

Impact

The Lettermint Node.js SDK fails to clear email properties between successive .send() calls when the same client instance is reused. Properties such as to, subject, html, text, and attachments from a previous message remain attached to the next message, allowing confidential content or recipient addresses to be sent to unintended recipients. This flaw can expose sensitive email content and user addresses and may compromise confidentiality for applications that send transactional emails in rapid succession.

Affected Systems

The vulnerability affects the Lettermint Node.js SDK (lettermint:lettermint-node) in all releases prior to 1.5.1, specifically version 1.5.0 and earlier. Developers using these versions in Node.js environments should verify the installed SDK version.

Risk and Exploitability

The CVSS score is 4.7, indicating moderate severity. The EPSS score is below 1%, suggesting a low exploitation likelihood at this time, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by creating or using a single client instance and performing multiple sends; the second or later send will unintentionally leak data from the previous send. There are no additional prerequisites beyond normal application logic that reuses the client, making the attack path relatively straightforward.

Generated by OpenCVE AI on April 18, 2026 at 11:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lettermint SDK to version 1.5.1 or later where the issue has been fixed.
  • If upgrading immediately is not possible, instantiate a new client object on each set of transactions or explicitly reset email properties between calls.
  • Audit application code to ensure the SDK is not reused across independent email operations and that leak-prone properties are cleared after each send.

Generated by OpenCVE AI on April 18, 2026 at 11:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-49pc-8936-wvfp Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
History

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Lettermint lettermint
CPEs cpe:2.3:a:lettermint:lettermint:*:*:*:*:*:node.js:*:*
Vendors & Products Lettermint lettermint

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Lettermint
Lettermint lettermint-node
Vendors & Products Lettermint
Lettermint lettermint-node

Sat, 21 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
Description Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.
Title Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
Weaknesses CWE-488
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Lettermint Lettermint Lettermint-node
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:08:44.011Z

Reserved: 2026-02-19T19:46:03.541Z

Link: CVE-2026-27492

cve-icon Vulnrichment

Updated: 2026-02-24T18:08:36.104Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T11:15:57.287

Modified: 2026-02-24T15:00:44.600

Link: CVE-2026-27492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses