VYPR

Packagist (Composer) package

roundcube/roundcubemail

pkg:composer/roundcube/roundcubemail

Vulnerabilities (10)

  • CVE-2026-35545MedApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fi

  • CVE-2026-35544MedApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

  • CVE-2026-35543MedApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

  • CVE-2026-35542MedApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

  • CVE-2026-35541MedApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

  • CVE-2026-35540MedApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

  • CVE-2026-35539MedApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

  • CVE-2026-35538LowApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

  • CVE-2026-35537LowApr 3, 2026
    affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

  • CVE-2025-49113KEVJun 2, 2025
    affected < 1.5.10fixed 1.5.10

    Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.