Every CVE whose affected-product data names Kde Kmail, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (10)
CVE-2016-7967 — CVSS 8.1 (high): KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local…
CVE-2017-9604 — CVSS 7.5 (high): KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's…
CVE-2016-7966 — CVSS 7.3 (high): Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser…
CVE-2020-15954 — CVSS 6.5 (medium): KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
CVE-2020-11880 — CVSS 6.5 (medium): An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or…
CVE-2016-7968 — CVSS 6.5 (medium): KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript…
CVE-2014-8878 — CVSS 5.9 (medium): KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive…
CVE-2017-17689 — CVSS 5.9 (medium): The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext…
CVE-2021-38373 — CVSS 5.3 (medium): In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires…
CVE-2019-10732 — CVSS 4.3 (medium): In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart…