Andris Reinman

4 exploits Active since Nov 2020
CVE-2025-13033 WRITEUP HIGH WRITEUP
Nodemailer <=7.0.7 - Quoted Recipient Address Email Misdirection
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
CVSS 7.5
CVE-2026-3455 WRITEUP MEDIUM WRITEUP
mailparser < 3.9.3 - Cross-Site Scripting via textToHtml URL Sanitization Bypass
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
CVSS 6.1
CVE-2020-7769 WRITEUP HIGH WRITEUP
nodemailer <6.4.16 - Command Injection
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
CVSS 8.6
CVE-2021-23400 WRITEUP MEDIUM WRITEUP
nodemailer < 6.6.1 - HTTP Header Injection via Address Object
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
CVSS 6.3