Charles A. Roelli

**Name of the Vulnerable Software and Affected Versions** GNU Emacs versions prior to 25.3 **Description** The issue allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands. This is related to an unsafe text/enriched extension in lisp/textmodes/enriched.el and unsafe Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el. An Emacs user can be instantly compromised by reading a crafted email message or Usenet news article. **Recommendations** For GNU Emacs versions prior to 25.3, update to version 25.3 or later to resolve the issue. As a temporary workaround, consider disabling the enriched text mode in lisp/textmodes/enriched.el and restricting Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el to minimize the risk of exploitation. Avoid using the x-display XML element in email clients until the issue is resolved.