This page aggregates publicly disclosed CVE and security risk information related to haraka_project, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-34752 | Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4. | [email protected] | 8.7 | 0.03% | 2026-04-02 | 2026-04-03 |
| CVE-2016-1000282 | Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection. | [email protected] | 9.8 | 68.31% | 2019-02-05 | 2024-11-21 |