Airmail App - JavaScript Injection Vulnerability Exposes Sensitive Data

A vulnerability has been identified in the popular iOS/macOS email apps “Airmail - Your Mail With You” and “Airmail for Business” that poses a significant risk. The vulnerability, classified as a JavaScript injection combined with an insecurely configured WebView, was present in versions of the apps prior to 5.7. Users are strongly encouraged to update to the latest version of “Airmail - Your Mail With You” and “Airmail for Business” to protect their data.


  • Product: Airmail - Your Mail With You, Airmail for Business
  • Affected Version: < 5.7
  • Vulnerability Type: Improper Neutralization of Input During Web Page Generation / “Cross-site Scripting” (CWE-79), Insecure Storage of Sensitive Information (CWE-922)
  • Risk Level: High
  • Vendor URL:
  • Vendor acknowledged vulnerability: Yes
  • Vendor Status: Fixed
  • CVE: N/A

The vulnerability exists because JavaScript code that can access sensitive information can be injected into an HTML email message. For example, the following HTML code could trigger JavaScript to run when an email is opened:

Please Wait...
onload='setTimeout(function(){document.write("<p style=color:white>JavaScript was executed.</p>");},1000);'>

Since the Web view in which the code is executed is insecurely configured to allow the JavaScript code to access certain sensitive data, malicious code could access this data.

The vulnerability has been demonstrated using a specially crafted email. Once the HTML email containing the malicious JavaScript code is opened in the app, it gains access to the Data.db file. This file contains the user’s email data for the current mailbox. As a result, the malicious code can send the contents of the Data.db file to an external server.


Exploitation of this vulnerability by an attacker could have serious privacy implications. The Data.db file contains extensive sensitive email information, such as all emails in the mailbox, sent emails, etc.



  • 2024-03-13: Vulnerability reported to the vendor.
  • 2024-03-18: Vendor has reported that the vulnerability has been fixed.
  • 2024-04-29: This blog post was published.