{"id":"CVE-2020-11880","details":"An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) \"mailto?attach=...\" parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value.","modified":"2026-03-14T09:53:59.402065Z","published":"2020-04-17T18:15:11.837Z","references":[{"type":"ADVISORY","url":"https://cgit.kde.org/kmail.git/tag/?h=v19.12.3"},{"type":"FIX","url":"https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kde/kmail","events":[{"introduced":"0"},{"fixed":"75e8d32a308490cc26f246e98f8f15438b0e7b50"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"19.12.3"}]}}],"versions":["v16.11.80","v16.11.90","v16.12.0","v16.12.1","v16.12.2","v16.12.3","v17.03.80","v17.03.90","v17.04.0","v17.04.1","v17.04.2","v17.04.3","v17.07.80","v17.07.90","v17.08.0","v17.08.1","v17.08.2","v17.08.3","v17.11.80","v17.11.90","v17.12.0","v17.12.1","v17.12.2","v17.12.3","v18.03.80","v18.03.90","v18.04.0","v18.04.1","v18.04.2","v18.07.80","v18.07.90","v18.08.0","v18.08.1","v18.08.2","v18.08.3","v18.11.80","v18.11.90","v18.12.0","v18.12.1","v18.12.2","v18.12.3","v19.03.80","v19.03.90","v19.04.0","v19.04.1","v19.04.2","v19.07.80","v19.07.90","v19.08.0","v19.08.1","v19.08.2","v19.11.80","v19.11.90","v19.12.0","v19.12.1","v19.12.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11880.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}