CVE-2026-27492

Description

### Impact Email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. ### Patches Yes, the issue has been patched. Users should upgrade to v1.5.1 or later. ### Workarounds If upgrading immediately is not possible, instantiate a new client for each send: ```js const client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY }); await client.email.to('...').subject('...').html('...').send(); ``` This ensures no state is carried over between sends.

How to fix CVE-2026-27492

To remediate CVE-2026-27492, upgrade the affected package to a fixed version below.

• —upgrade to 1.5.1 or later

Is CVE-2026-27492 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.5.1

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-27492
• PATCHgithub.com/lettermint/lettermint-node
• WEBgithub.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20
• WEBgithub.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1