VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 21, 2018· Updated Aug 5, 2024

CVE-2018-15667

CVE-2018-15667

Description

An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the "send" command, thus leading to automatic transmission of an attacker crafted email from the target account.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Airmail 3 for macOS allows unauthenticated email sending via the airmail:// URL scheme 'send' command without user prompt.

Vulnerability

An issue was discovered in Bloop Airmail 3 version 3.5.9 for macOS. The application registers the airmail:// URL scheme and implements a send command that allows sending arbitrary emails from an active account without authentication. The handler has no restriction on who can invoke its functionality [1].

Exploitation

An attacker can exploit this by crafting a hyperlink or using any method that triggers the URL scheme, such as embedding the link in an email. When the victim clicks the link, the handler processes the send command automatically without prompting the user, resulting in the transmission of an attacker-crafted email from the target account [1].

Impact

Successful exploitation enables an attacker to send arbitrary emails from the victim's active Airmail account without consent, which could be used for information disclosure, phishing, or malware distribution.

Mitigation

As of the advisory, the vendor (Bloop) did not provide a response or fix [1]. Users should update to a patched version if available; otherwise, consider disabling or unregistering the airmail:// URL scheme or using an alternative email client.

References
  1. CVE-2018-15667 Airmail 3 for Mac - Scheme Handler

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.