High severity7.8CISA KEVNVD Advisory· Published Nov 9, 2017· Updated Apr 21, 2026

CVE-2017-16651

Description

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

Affected products

Roundcube/Webmail11 versions
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*range: <=1.1.9
- cpe:2.3:a:roundcube:webmail:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.3.2:*:*:*:*:*:*:*
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

7f992eac3d28

https://github.com/roundcube/roundcubemailvia osv

987856eee254

https://github.com/roundcube/roundcubemailvia osv

d84391d2c850

https://github.com/roundcube/roundcubemailvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/roundcube/roundcubemail/issues/6026nvdIssue TrackingPatchThird Party Advisory
packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.htmlnvdExploitThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/101793nvdThird Party AdvisoryVDB Entry
github.com/roundcube/roundcubemail/releases/tag/1.1.10nvdIssue TrackingRelease NotesThird Party Advisory
github.com/roundcube/roundcubemail/releases/tag/1.2.7nvdIssue TrackingRelease NotesThird Party Advisory
github.com/roundcube/roundcubemail/releases/tag/1.3.3nvdIssue TrackingRelease NotesThird Party Advisory
lists.debian.org/debian-lts-announce/2017/11/msg00039.htmlnvdMailing ListThird Party Advisory
roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10nvdIssue TrackingVendor Advisory
www.debian.org/security/2017/dsa-4030nvdIssue TrackingThird Party Advisory
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.030
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.000