CVE-2018-15670
Description
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if the currentEvent is NX_LMOUSEUP or NX_OMOUSEUP. An attacker may abuse HTML elements with an EventHandler for a chance to validate navigation requests for URLs that are processed during the NX_LMOUSEUP event triggered by clicking an email.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Airmail 3 for macOS allows crafted email HTML to intercept mouse-up events and spoof navigation, enabling URL filter bypass.
Vulnerability
Airmail 3 for macOS version 3.5.9 suffers from a URL validation bypass in its primary WebView instance. The method webView:decidePolicyForNavigationAction:request:frame:decisionListener: uses OpenURL as the default URL handler, which only processes a navigation request if the current event is NX_LMOUSEUP or NX_OMOUSEUP. An attacker can embed HTML with an EventHandler that triggers during the NX_LMOUSEUP event, causing a malicious URL to bypass intended policy decisions [1].
Exploitation
An attacker sends a crafted email containing HTML elements with event handlers that force a navigation request to be processed during the NX_LMOUSEUP event. The victim must click on the email content (e.g., a link or button) that triggers the NX_LMOUSEUP event. No special privileges or network position are required beyond sending an email to the victim.
Impact
Successful exploitation allows an attacker to cause Airmail to open arbitrary URLs without proper validation. This could lead to unintended exposure of sensitive information, loading of malicious websites, or enabling further attacks such as phishing or drive-by downloads, depending on the URL scheme handler.
Mitigation
No fix has been released by the vendor as of the advisory publication date (August 2018). Airmail 3 for Mac version 3.5.9 remains vulnerable. Users should consider alternative email clients or disable automatic URL handling until a patch is available. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- versprite.com/advisories/airmail-3-for-mac-4/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.