CVE-2026-34752

UNKNOWN 0.0

Haraka affected by DoS via `proto` email header

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.

CWE	CWE-248
Vendor	haraka
Product	haraka
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for haraka haraka

Be the first to know when new unknown vulnerabilities affecting haraka haraka are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

haraka / Haraka

< 3.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3 github.com: https://github.com/haraka/Haraka/releases/tag/v3.1.4

CVE-2026-34752

Haraka affected by DoS via `__proto__` email header

Get instant alerts for haraka haraka

Affected Versions

References

Haraka affected by DoS via `proto` email header