rpm package
opensuse/roundcubemail&distro=openSUSE Leap 16.0
pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Leap%2016.0
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35537 | Low | 3.7 | < 1.6.15-bp160.1.1 | 1.6.15-bp160.1.1 | Apr 3, 2026 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data. | |
| CVE-2026-26079 | Med | 4.7 | < 1.6.13-bp160.1.1 | 1.6.13-bp160.1.1 | Feb 11, 2026 | Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled. | |
| CVE-2026-25916 | Med | 4.3 | < 1.6.13-bp160.1.1 | 1.6.13-bp160.1.1 | Feb 9, 2026 | Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. | |
| CVE-2025-68461 | — | KEV | < 1.6.13-bp160.1.1 | 1.6.13-bp160.1.1 | Dec 18, 2025 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | |
| CVE-2025-68460 | — | < 1.6.13-bp160.1.1 | 1.6.13-bp160.1.1 | Dec 18, 2025 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. |
- affected < 1.6.15-bp160.1.1fixed 1.6.15-bp160.1.1
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
- affected < 1.6.13-bp160.1.1fixed 1.6.13-bp160.1.1
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
- affected < 1.6.13-bp160.1.1fixed 1.6.13-bp160.1.1
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
- affected < 1.6.13-bp160.1.1fixed 1.6.13-bp160.1.1
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
- CVE-2025-68460Dec 18, 2025affected < 1.6.13-bp160.1.1fixed 1.6.13-bp160.1.1
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.