GCVE - cpe:2.3:a:kde:messagelib:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:kde:messagelib:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Kde (`d8ba08cf-7ec1-5504-a5b9-f8cfa50ca850`)
Product	Messagelib (`1adbd7a1-aba3-58b5-9746-1356ed6ae6fa`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/kf5-messagelib`	purl2cpe	2026-06-01 10:14:04.897536
`pkg:deb/ubuntu/kf5-messagelib`	purl2cpe	2026-06-01 10:14:04.897539
`pkg:github/kde/messagelib`	purl2cpe	2026-06-01 10:14:04.897542
`pkg:rpm/fedora/kf5-messagelib`	purl2cpe	2026-06-01 10:14:04.897545
`pkg:rpm/opensuse/messagelib`	purl2cpe	2026-06-01 10:14:04.897547

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-69412`	vulnerable	2026-06-03 15:12:25.939667	Details available LOW (3.4) KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. Published: 2025-12-31T23:20:55.785Z Updated: 2026-01-02T13:45:18.339Z Open on db.gcve.eu Reference links https://github.com/KDE/messagelib/compare/v25.11.80...v25.11.90 https://github.com/KDE/messagelib/commit/01adef0482bb3d5c817433db5208620c84a992b3 https://developers.google.com/safe-browsing/v4 https://developers.google.com/safe-browsing/v4/lookup-api	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-31855`	vulnerable	2026-06-03 14:44:33.636606	Details available KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. With a crafted message, a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message. This occurs in ViewerPrivate::deleteAttachment in messageviewer/src/viewer/viewer_p.cpp. Published: 2021-06-02T00:00:00.000Z Updated: 2024-08-03T23:10:30.742Z Open on db.gcve.eu Reference links https://kde.org/info/security/advisory-20210429-1.txt https://github.com/KDE/messagelib/commit/3b5b171e91ce78b966c98b1292a1bcbc8d984799	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-9604`	vulnerable	2026-06-03 14:37:41.925159	Details available KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network. Published: 2017-06-13T13:00:00.000Z Updated: 2024-09-17T02:16:34.175Z Open on db.gcve.eu Reference links https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197 https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.