{"id":"CVE-2020-11880","details":"An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) \"mailto?attach=...\" parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value.","modified":"2026-04-11T22:57:30.589500Z","published":"2020-04-17T18:15:11.837Z","references":[{"type":"ADVISORY","url":"https://cgit.kde.org/kmail.git/tag/?h=v19.12.3"},{"type":"FIX","url":"https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kde/kmail","events":[{"introduced":"0"},{"fixed":"75e8d32a308490cc26f246e98f8f15438b0e7b50"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"19.12.3"}],"cpe":"cpe:2.3:a:kde:kmail:*:*:*:*:*:*:*:*"}}],"versions":["v17.11.80","v19.03.80","v19.11.80","v19.11.90","v19.12.0","v19.12.1","v19.12.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11880.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}