CVE-2026-27492

Name of the Vulnerable Software and Affected Versions Lettermint Node.js SDK versions 1.5.0 and below

Description The Lettermint Node.js SDK has an issue where email properties (to, subject, html, text, and attachments) are not reset between calls to the .send() function when the same client instance is reused. This can lead to data from a previous email being included in a subsequent email, potentially sending content or recipient addresses to unintended parties. Applications that send emails to different recipients sequentially, such as those used for password resets or notifications, are particularly susceptible. The issue occurs when reusing a single client instance across multiple .send() calls.

Recommendations Upgrade to version 1.5.1 or later. If upgrading is not immediately possible, create a new client instance for each .send() call.