Unrated severityCISA KEVNVD Advisory· Published Sep 22, 2023· Updated Oct 21, 2025

CVE-2023-43770

Description

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

Affected products

Roundcube/Roundcubedescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.debian.org/debian-lts-announce/2023/09/msg00024.htmlmitremailing-list
github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49bmitre
roundcube.net/news/2023/09/15/security-update-1.6.3-releasedmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.064
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.000