VYPR

rpm package

opensuse/roundcubemail&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Tumbleweed

Vulnerabilities (27)

  • CVE-2026-48849MedMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

  • CVE-2026-48848HigMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

  • CVE-2026-48847LowMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

  • CVE-2026-48846MedMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.

  • CVE-2026-48845MedMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.

  • CVE-2026-48844HigMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

  • CVE-2026-48843HigMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an

  • CVE-2026-48842HigMay 25, 2026
    affected < 1.6.16-2.1fixed 1.6.16-2.1

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

  • CVE-2024-42010HigAug 5, 2024
    affected < 1.6.8-1.1fixed 1.6.8-1.1

    mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

  • CVE-2024-42009KEVAug 5, 2024
    affected < 1.6.8-1.1fixed 1.6.8-1.1

    A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

  • CVE-2024-42008Aug 5, 2024
    affected < 1.6.8-1.1fixed 1.6.8-1.1

    A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

  • CVE-2023-47272Nov 5, 2023
    affected < 1.6.5-1.1fixed 1.6.5-1.1

    Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

  • CVE-2023-5631KEVOct 18, 2023
    affected < 1.6.4-1.1fixed 1.6.4-1.1

    Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

  • CVE-2020-35730KEVDec 28, 2020
    affected < 1.4.11-1.3fixed 1.4.11-1.3

    An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

  • CVE-2020-16145Aug 12, 2020
    affected < 1.4.11-1.3fixed 1.4.11-1.3

    Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

  • CVE-2020-12641KEVMay 4, 2020
    affected < 1.4.11-1.3fixed 1.4.11-1.3

    rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

  • CVE-2019-10740Apr 7, 2019
    affected < 1.4.11-1.3fixed 1.4.11-1.3

    In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can b

  • CVE-2018-9846HigApr 7, 2018
    affected < 1.4.11-1.3fixed 1.4.11-1.3

    In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection a

  • CVE-2017-16651HigKEVNov 9, 2017
    affected < 1.4.11-1.3fixed 1.4.11-1.3

    Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target sy

  • CVE-2017-8114HigApr 29, 2017
    affected < 1.4.11-1.3fixed 1.4.11-1.3

    Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Page 1 of 2