CVE-2020-27748
CVE-2020-27748 is a medium-severity vulnerability in Freedesktop Xdg-utils with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-201.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 4.3
- EPSS exploit prediction: 1% (70th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-201
- Affected product: Freedesktop Xdg-utils
- Published:
- Last modified:
Description
A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.
Frequently asked questions
- What is CVE-2020-27748?
- A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.
- How severe is CVE-2020-27748?
- CVE-2020-27748 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2020-27748 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (70th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-27748?
- CVE-2020-27748 affects Freedesktop Xdg-utils. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-27748?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-27748 published?
- CVE-2020-27748 was published on 2021-06-01 and last updated on 2026-06-17.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1899769
- https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
Affected products (1)
- cpe:2.3:a:freedesktop:xdg-utils:*:*:*:*:*:*:*:*
More vulnerabilities in Freedesktop Xdg-utils
- CVE-2015-1877 — High (CVSS 8.8): The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 in Debian, when using dash, does not properly…
- CVE-2017-18266 — High (CVSS 8.8): The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program…
- CVE-2022-4055 — High (CVSS 7.4): When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional…
- CVE-2009-0068 — Medium (CVSS 6.8): Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME…
All CVEs affecting Freedesktop Xdg-utils →
Other CWE-201 vulnerabilities
- CVE-2025-49408 — Critical (CVSS 10.0): Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded…
- CVE-2024-7205 — Critical (CVSS 9.4): When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to…
- CVE-2026-39912 — Critical (CVSS 9.1): V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the…
- CVE-2025-48749 — Critical (CVSS 9.1): Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive…
- CVE-2025-11500 — High (CVSS 8.7): Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication…
- CVE-2025-48045 — High (CVSS 8.7): An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user…