This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate listsend

Dependencies

(8 total, 1 possibly insecure)

CrateRequiredLatestStatus
 clap^4.5.264.6.1up to date
 csv^1.3.11.4.0up to date
 dotenv^0.15.00.15.0up to date
 handlebars^6.3.06.4.3up to date
 lettre ⚠️^0.11.110.11.22maybe insecure
 openssl-sys^0.9.1040.9.117up to date
 serde^1.0.2171.0.228up to date
 tap^1.0.11.0.1up to date

Security Vulnerabilities

lettre: TLS hostname verification disabled when using Boring TLS backend

RUSTSEC-2026-0141

An inverted-boolean bug in lettre's boring-tls integration silently disables TLS hostname verification for callers using the default (strict) configuration. An on-path attacker presenting any chain-valid certificate for any domain can intercept SMTP submission, including PLAIN/LOGIN credentials and message contents, against any lettre user built with the boring-tls feature. Other TLS backends (native-tls, rustls) are unaffected.

The bug was introduced in v0.10.1 and persists through v0.11.21 (latest).