Packagist (Composer) package
roundcube/roundcubemail
pkg:composer/roundcube/roundcubemail
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35545 | Med | 5.3 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fi | |
| CVE-2026-35544 | Med | 5.3 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important. | |
| CVE-2026-35543 | Med | 5.3 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass. | |
| CVE-2026-35542 | Med | 5.3 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass. | |
| CVE-2026-35541 | Med | 4.2 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password. | |
| CVE-2026-35540 | Med | 5.4 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. | |
| CVE-2026-35539 | Med | 6.1 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment. | |
| CVE-2026-35538 | Low | 3.1 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search. | |
| CVE-2026-35537 | Low | 3.7 | >= 1.7-beta, < 1.7-rc5 | 1.7-rc5 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data. | |
| CVE-2025-49113 | — | KEV | < 1.5.10 | 1.5.10 | Jun 2, 2025 | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. |
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fi
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
- affected >= 1.7-beta, < 1.7-rc5fixed 1.7-rc5
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
- affected < 1.5.10fixed 1.5.10
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.