Roundcubemail
Sign in to watchby Roundcube
Source repositories
CVEs (5)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-26079 | Med | 0.31 | 4.7 | 0.00 | Feb 11, 2026 | Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled. | |
| CVE-2026-25916 | Med | 0.28 | 4.3 | 0.00 | Feb 9, 2026 | Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. | |
| CVE-2023-5631 | 0.19 | — | 0.84 | KEV | Oct 18, 2023 | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | |
| CVE-2025-68461 | 0.12 | — | 0.05 | KEV | Dec 18, 2025 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | |
| CVE-2025-68460 | 0.00 | — | 0.00 | Dec 18, 2025 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. |