High severity7.5NVD Advisory· Published Aug 5, 2024· Updated Apr 15, 2026

CVE-2024-42010

Description

mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

Patches

ed988390312e

https://github.com/roundcube/roundcubemailvia osv

commit

44ed0d6fb0ce

https://github.com/roundcube/roundcubemailvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/roundcube/roundcubemail/releases/tag/1.5.8nvd
github.com/roundcube/roundcubemail/releases/tag/1.6.8nvd
roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8nvd
sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.012
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000