CVE-2016-7967 (kmail)
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
Source: CVE-2016-7967 (kmail)