CVE-2026-27492

MEDIUM 4.7

Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused

CVSS Score

4.7

EPSS Score

0.0%

EPSS Percentile

0th

Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.

CWE	CWE-488
Vendor	lettermint
Product	lettermint-node
Published	Feb 21, 2026
Last Updated	Feb 24, 2026

Stay Ahead of the Next One

Get instant alerts for lettermint lettermint-node

Be the first to know when new medium vulnerabilities affecting lettermint lettermint-node are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

lettermint / lettermint-node

< 1.5.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp github.com: https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1 github.com: https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20