Unrated severityNVD Advisory· Published May 25, 2026

CVE-2026-48849

Description

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 are vulnerable to stored XSS via unsanitized subject in draft restore dialog.

Vulnerability

In Roundcube Webmail versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the subject field of a draft email is not properly sanitized when displayed in the draft restore dialog. This allows stored cross-site scripting (XSS), HTML, or CSS injection. The vulnerability exists in the rcube_webmail function where the subject is inserted into the dialog without escaping [1][2][4].

Exploitation

An attacker with access to a shared mailbox can create a draft email containing malicious HTML/JavaScript in the subject field. When another user restores the draft (e.g., clicks "Restore" in the draft restore dialog), the unsanitized subject is rendered, executing the injected code in the context of the victim's session. No additional user interaction beyond restoring the draft is required [3][4].

Impact

Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser. This can result in session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The attack targets shared mailboxes, affecting multiple users of the same Roundcube instance [1][2][3].

Mitigation

The issue is fixed in Roundcube Webmail versions 1.6.16 (LTS) and 1.7.1, released on May 24, 2026. Users are strongly advised to update to these versions immediately. No workarounds have been provided [1][2][3].

References

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Roundcube/Webmailinferred
Range: >=1.6.0,<1.6.16 || >=1.7.0,<1.7.1
Roundcube/Roundcubemailllm-fuzzy
Range: >=1.6.0, <1.6.16 || >=1.7.0, <1.7.1

Patches

a21519187873

Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog

https://github.com/roundcube/roundcubemailAleksander MachniakMay 24, 2026via nvd-ref

commit

2 files changed · +2 −1

CHANGELOG.md+1 −0 modified

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Fix potential too long value in IMAP ID command (#10136)
+- Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
 
 ## Release 1.6.15

program/js/app.js+1 −1 modified

@@ -4716,7 +4716,7 @@ function rcube_webmail()
         this.show_popup_dialog(
           this.get_label('restoresavedcomposedata')
             .replace('$date', new Date(formdata.changed).toLocaleString())
-            .replace('$subject', formdata._subject)
+            .replace('$subject', $('<span>').text(formdata._subject).html())
             .replace(/\n/g, '<br/>'),
           this.get_label('restoremessage'),
           [{

189d30a48903

Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog

https://github.com/roundcube/roundcubemailAleksander MachniakMay 24, 2026via nvd-ref

commit

2 files changed · +2 −1

CHANGELOG.md+1 −0 modified

@@ -14,6 +14,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Fix so `REQUEST_URI` is used as a fallback if `PATH_INFO` is not set in static.php (#10181)
 - Fix `assets_path` feature and remove dependency on `PATH_INFO` (#10185)
 - Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
+- Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
 
 ## Release 1.7.0

program/js/app.js+1 −1 modified

@@ -4990,7 +4990,7 @@ function rcube_webmail() {
                 this.show_popup_dialog(
                     this.get_label('restoresavedcomposedata')
                         .replace('$date', new Date(formdata.changed).toLocaleString())
-                        .replace('$subject', formdata._subject)
+                        .replace('$subject', $('<span>').text(formdata._subject).html())
                         .replace(/\n/g, '<br/>'),
                     this.get_label('restoremessage'),
                     [{

Vulnerability mechanics

Root cause

"Missing HTML sanitization of the draft subject field before interpolation into the restore dialog's HTML string."

Attack vector

An attacker with access to a shared mailbox saves a draft whose subject field contains malicious HTML or JavaScript. When another user (or the same user on a different session) opens the draft restore dialog, the unsanitized subject is injected into the page DOM, executing the attacker's payload. No authentication bypass is required beyond normal mailbox access; the attack is triggered purely by the victim viewing the draft restore prompt.

Affected code

The vulnerability resides in `program/js/app.js` within the `rcube_webmail()` function. The draft restore dialog constructs a label string by directly interpolating `formdata._subject` into HTML via `.replace('$subject', formdata._subject)` [patch_id=2473660][patch_id=2473659]. This unsanitized subject value is then passed to `show_popup_dialog()`, which renders it as HTML.

What the fix does

Both patches change the single line that inserts the subject into the dialog label. The original code `formdata._subject` is replaced with `$('

Preconditions

authAttacker must have write access to a shared mailbox to save a crafted draft.
inputVictim must open the draft restore dialog for the malicious draft.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000