CVEFinder.io

CVE-2020-7769

⚠️ high
Summary

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

CVSS Score
8.6
High
EPSS Score
0.5
Exploit Probability
Published Date
2020-11-12
First Seen: 2026-01-05
Last Modified 2024-11-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CWE IDs (Weakness Types)
CWE-88

🔗 References 8

https://github.com/nodemailer/nodemailer/blob/33b62e...
Broken Link Third Party Advisory
https://github.com/nodemailer/nodemailer/commit/ba31...
Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742
Exploit Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
Exploit Patch Third Party Advisory
https://github.com/nodemailer/nodemailer/blob/33b62e...
Broken Link Third Party Advisory
https://github.com/nodemailer/nodemailer/commit/ba31...
Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742
Exploit Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
Exploit Patch Third Party Advisory

📦 Affected Products 1

Vendor Product Status Affected Versions
nodemailer nodemailer Affected
< 6.4.16

🔗 Related CVEs 3

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-14874 ⚠️ high 7.5 0.1 A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header t... 2025-12-18
CVE-2025-13033 ⚠️ high 7.5 0.1 A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient em... 2025-11-14
CVE-2021-23400 🔶 medium 6.3 0.5 The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain n... 2021-06-29
These CVEs affect the same products