VYPR

Roundcubemail

by Roundcube

Source repositories

CVEs (80)

  • CVE-2026-48846MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.

  • CVE-2026-48845MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.

  • CVE-2015-5381MedMay 23, 2017
    risk 0.33cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

  • CVE-2015-8864MedApr 13, 2017
    risk 0.33cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.

  • CVE-2026-26079MedFeb 11, 2026
    risk 0.31cvss 4.7epss 0.00

    Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

  • CVE-2026-25916MedFeb 9, 2026
    risk 0.28cvss 4.3epss 0.01

    Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

  • CVE-2026-48849MedMay 25, 2026
    risk 0.22cvss 4.4epss 0.00

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

  • CVE-2024-42009KEVAug 5, 2024
    risk 0.19cvss epss 0.83

    A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

  • CVE-2020-12641KEVMay 4, 2020
    risk 0.19cvss epss 0.84

    rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

  • CVE-2023-5631KEVOct 18, 2023
    risk 0.18cvss epss 0.73

    Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

  • CVE-2020-13965KEVJun 9, 2020
    risk 0.18cvss epss 0.77

    An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

  • CVE-2026-48847LowMay 25, 2026
    risk 0.17cvss 3.7epss 0.00

    Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

  • CVE-2023-43770KEVSep 22, 2023
    risk 0.17cvss epss 0.58

    Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

  • CVE-2021-44026KEVNov 19, 2021
    risk 0.15cvss epss 0.43

    Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

  • CVE-2025-68461KEVDec 18, 2025
    risk 0.14cvss epss 0.20

    Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

  • CVE-2024-37383KEVJun 7, 2024
    risk 0.13cvss epss 0.73

    Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

  • CVE-2020-35730KEVDec 28, 2020
    risk 0.10cvss epss 0.33

    An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

  • CVE-2024-42008Aug 5, 2024
    risk 0.04cvss epss 0.32

    A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

  • CVE-2020-12640May 4, 2020
    risk 0.01cvss epss 0.07

    Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

  • CVE-2026-9818May 28, 2026
    risk 0.00cvss epss

    Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.