KDE Project Security Advisory
=============================

Title:           messagelib: man-in-the-middle vulnerability when accessing Google Safe Browsing API
Risk rating:     LOW
CVE:             CVE-2025-69412
Versions:        messagelib < 6.6.0 (KDE Gear 25.12.0)
Date:            7 January 2026

Overview
========

messagelib was ignoring ssl errors when contacting the Google Safe Browsing API.
Contacting the Google Safe Browsing API is disabled by default.

Impact
======

An attacker could intercept and manipulate traffic between the applications using messagelib
(KMail, Akregator, etc) and the Google Safe Browsing service, potentially compromising the
integrity of the safety checks performed on URLs.

Solution
========

Update to messagelib 6.6.0 (KDE Gear 25.12.0) or later.

Apply https://invent.kde.org/pim/messagelib/-/commit/df525dc91498423f3c45e143efab1c7102776652
for older messagelib versions.

Credits
=======

Thanks to Valeriy Manzhos for reporting this issue.