High severity7.2NVD Advisory· Published May 25, 2026· Updated May 26, 2026
CVE-2026-48848
CVE-2026-48848
Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <1.6.16, <1.7.1
Patches
Vulnerability mechanics
References
5- github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27nvd
- github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9nvd
- github.com/roundcube/roundcubemail/releases/tag/1.6.16nvd
- github.com/roundcube/roundcubemail/releases/tag/1.7.1nvd
- roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1nvd
News mentions
0No linked articles in our index yet.