Description
KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration.
References (4)
Core 4
Core References
Various Sources
https://developers.google.com/safe-browsing/v4
Various Sources
https://developers.google.com/safe-browsing/v4/lookup-api
Various Sources
https://github.com/KDE/messagelib/compare/v25.11.80...v25.11.90
Scores
CVSS v3
3.4
EPSS
0.0024
EPSS Percentile
15.0%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
KDE/messagelib
< 25.11.90
Published
Jan 01, 2026
Tracked Since
Feb 18, 2026