Roundcubemail
by Roundcube
Source repositories
CVEs (80)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48846 | Med | 0.35 | 6.5 | 0.00 | May 25, 2026 | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass. | ||
| CVE-2026-48845 | Med | 0.35 | 6.5 | 0.00 | May 25, 2026 | In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message. | ||
| CVE-2015-5381 | Med | 0.33 | 6.1 | 0.03 | May 23, 2017 | Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. | ||
| CVE-2015-8864 | Med | 0.33 | 6.1 | 0.03 | Apr 13, 2017 | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. | ||
| CVE-2026-26079 | Med | 0.31 | 4.7 | 0.00 | Feb 11, 2026 | Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled. | ||
| CVE-2026-25916 | Med | 0.28 | 4.3 | 0.01 | Feb 9, 2026 | Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. | ||
| CVE-2026-48849 | Med | 0.22 | 4.4 | 0.00 | May 25, 2026 | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes. | ||
| CVE-2024-42009 | 0.19 | — | 0.83 | KEV | Aug 5, 2024 | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | ||
| CVE-2020-12641 | 0.19 | — | 0.84 | KEV | May 4, 2020 | rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | ||
| CVE-2023-5631 | 0.18 | — | 0.73 | KEV | Oct 18, 2023 | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | ||
| CVE-2020-13965 | 0.18 | — | 0.77 | KEV | Jun 9, 2020 | An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. | ||
| CVE-2026-48847 | Low | 0.17 | 3.7 | 0.00 | May 25, 2026 | Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass. | ||
| CVE-2023-43770 | 0.17 | — | 0.58 | KEV | Sep 22, 2023 | Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | ||
| CVE-2021-44026 | 0.15 | — | 0.43 | KEV | Nov 19, 2021 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | ||
| CVE-2025-68461 | 0.14 | — | 0.20 | KEV | Dec 18, 2025 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | ||
| CVE-2024-37383 | 0.13 | — | 0.73 | KEV | Jun 7, 2024 | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. | ||
| CVE-2020-35730 | 0.10 | — | 0.33 | KEV | Dec 28, 2020 | An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | ||
| CVE-2024-42008 | 0.04 | — | 0.32 | Aug 5, 2024 | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | |||
| CVE-2020-12640 | 0.01 | — | 0.07 | May 4, 2020 | Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. | |||
| CVE-2026-9818 | 0.00 | — | — | May 28, 2026 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
- risk 0.35cvss 6.5epss 0.00
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
- risk 0.35cvss 6.5epss 0.00
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
- risk 0.33cvss 6.1epss 0.03
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
- risk 0.33cvss 6.1epss 0.03
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
- risk 0.31cvss 4.7epss 0.00
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
- risk 0.28cvss 4.3epss 0.01
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
- risk 0.22cvss 4.4epss 0.00
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
- risk 0.19cvss —epss 0.83
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
- risk 0.19cvss —epss 0.84
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
- risk 0.18cvss —epss 0.73
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
- risk 0.18cvss —epss 0.77
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
- risk 0.17cvss 3.7epss 0.00
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
- risk 0.17cvss —epss 0.58
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
- risk 0.15cvss —epss 0.43
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
- risk 0.14cvss —epss 0.20
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
- risk 0.13cvss —epss 0.73
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
- risk 0.10cvss —epss 0.33
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
- CVE-2024-42008Aug 5, 2024risk 0.04cvss —epss 0.32
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
- CVE-2020-12640May 4, 2020risk 0.01cvss —epss 0.07
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
- CVE-2026-9818May 28, 2026risk 0.00cvss —epss —
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Page 2 of 4