[GH-ISSUE #423] Potential attack using "mailto:" #351

New issue

Closed

opened 2026-02-25 21:34:49 +03:00 by kerem · 1 comment

kerem commented 2026-02-25 21:34:49 +03:00

Owner

Copy link

Originally created by @dumblob on GitHub (Aug 24, 2020).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/423

Originally assigned to: @jasonmunro on GitHub.

I'm not sure Cypht does anything special with "mailto:" links, but either way it might be interesting to see what threats are lurking around:

https://www.zdnet.com/article/some-email-clients-are-vulnerable-to-attacks-via-mailto-links/

Originally created by @dumblob on GitHub (Aug 24, 2020). Original GitHub issue: https://github.com/cypht-org/cypht/issues/423 Originally assigned to: @jasonmunro on GitHub. I'm not sure Cypht does anything special with "mailto:" links, but either way it might be interesting to see what threats are lurking around: https://www.zdnet.com/article/some-email-clients-are-vulnerable-to-attacks-via-mailto-links/

kerem 2026-02-25 21:34:49 +03:00

• closed this issue
• added the
  Security
  research
  labels

kerem commented 2026-02-25 21:34:49 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Sep 17, 2020):

Cypht supports mailto links to pre-populate the To, Cc, Bcc, Subject, and Body fields. This specific vulnerability uses the more esoteric attachment parameter to pre-attach a local file which we don't support so we should be good here.

<!-- gh-comment-id:694481999 --> @jasonmunro commented on GitHub (Sep 17, 2020): Cypht supports mailto links to pre-populate the To, Cc, Bcc, Subject, and Body fields. This specific vulnerability uses the more esoteric attachment parameter to pre-attach a local file which we don't support so we should be good here.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

2.x

mta-sts-implementation

feat-compose-backspace-delete-recipients

release-2.5.1

add-tls3-support

1.4.x

enforce-coverage

release-2.4.2

strip_dns_prefetch_tags

fix_nightly_build

pr-title-validation-update

review-sent-email

revert-1339-fixed-tags-display

revert-1061-rem-cram-md5

sys-messages-revamp

revert-685-fixed-str-pos-warning-when-no-to

revert-590-empty-settings

release-1.3.0

revert-471-draft-add-warning

revert-454-feature/server-list-by-uniqid

php7.4-support

release-1.2.0

remove-mobile-media-queries

release-1.1.0

release-1.0.0

v2.7.0

v2.6.0

v2.5.1

v2.5.0

v1.4.7

v2.4.2

v2.4.1

v1.4.6

v1.4.5

v2.4.0

v2.3.0

v2.2.0

v1.4.4

v2.1.0

v2.0.1

v1.4.3

v2.0.0

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.3.0-rc3

v1.3.0-rc2

v1.3.0-rc1

v1.1.0

v1.1.0-rc4

v1.1.0-rc3

v1.1.0-rc2

v1.1.0-rc1

v1.0.0

v1.0.0-rc8

v1.0.0-rc7

v1.0.0-rc6

v1.0.0-rc5

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

Labels

Clear labels   

2fa

  

I18N

  

PGP

  

Security

  

Security

  

account

  

advanced_search

  

advanced_search

  

announcement

  

api_login

  

authentication

  

awaiting feedback

  

blocker

  

bug

  

bug

  

bug

  

calendar

  

config

  

contacts

  

core

  

core

  

devops

  

docker

  

docs

  

duplicate

  

dynamic_login

  

enhancement

  

epic

  

feature

  

feeds

  

framework

  

github

  

github

  

gmail_contacts

  

good first issue

  

help wanted

  

history

  

history

  

imap

  

imap_folders

  

inline_message

  

installation

  

keyboard_shortcuts

  

keyboard_shortcuts

  

ldap_contacts

  

mobile

  

need-ssh-access

  

new module set

  

nux

  

pop3

  

profiles

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

refactor

  

release

  

research

  

saved_searches

  

smtp

  

strategic

  

tags

  

tests

  

themes

  

website

  

wordpress

No labels

2fa

I18N

PGP

Security

Security

account

advanced_search

advanced_search

announcement

api_login

authentication

awaiting feedback

blocker

bug

bug

bug

calendar

config

contacts

core

core

devops

docker

docs

duplicate

dynamic_login

enhancement

epic

feature

feeds

framework

github

github

gmail_contacts

good first issue

help wanted

history

history

imap

imap_folders

inline_message

installation

keyboard_shortcuts

keyboard_shortcuts

ldap_contacts

mobile

need-ssh-access

new module set

nux

pop3

profiles

pull-request

question

refactor

release

research

saved_searches

smtp

strategic

tags

tests

themes

website

wordpress

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/cypht#351

No description provided.