How serious is CVE-2026-27492?

This vulnerability has a CVSS score of 4.7 out of 10, classified as MEDIUM severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-27492?

CVE-2026-27492 affects lettermint lettermint. Check the full CVE details for specific version information.

How do I fix CVE-2026-27492?

To remediate CVE-2026-27492, check for security patches from lettermint. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-27492

Medium

|4.7

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to accidentally receive email content or recipient addresses intended for someone else if the same client instance is reused for sending multiple emails. It mainly affects applications that send emails in sequence, like password resets or notifications, and can be exploited if the application does not properly reset email properties between sends.

Technical Description

Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.

CVSS Vector Analysis

Attack VectorLocal

Attack ComplexityHigh

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactNone

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$621($500-$1K)

Vendor Response

Grade APatched in 3 days

Quick Information

Published

Feb 21, 2026

about 2 months ago

Last Modified

Feb 24, 2026

about 1 month ago

Vendor

lettermint

Product

lettermint