VYPR

Roundcubemail

by Roundcube

Source repositories

CVEs (80)

  • CVE-2025-68460Dec 18, 2025
    risk 0.00cvss epss 0.00

    Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.

  • CVE-2024-37385Jun 7, 2024
    risk 0.00cvss epss 0.01

    Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.

  • CVE-2023-47272Nov 5, 2023
    risk 0.00cvss epss 0.01

    Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

  • CVE-2023-3222Sep 4, 2023
    risk 0.00cvss epss 0.01

    Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all…

  • CVE-2023-3221Sep 4, 2023
    risk 0.00cvss epss 0.00

    User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.

  • CVE-2021-46144Jan 6, 2022
    risk 0.00cvss epss 0.01

    Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.

  • CVE-2021-44025Nov 19, 2021
    risk 0.00cvss epss 0.01

    Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.

  • CVE-2020-18671Jun 24, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.

  • CVE-2020-18670Jun 24, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.

  • CVE-2021-26925Feb 9, 2021
    risk 0.00cvss epss 0.01

    Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.

  • CVE-2020-16145Aug 12, 2020
    risk 0.00cvss epss 0.02

    Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

  • CVE-2020-15562Jul 6, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element…

  • CVE-2020-12626May 4, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

  • CVE-2019-15237Aug 20, 2019
    risk 0.00cvss epss 0.01

    Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

  • CVE-2019-10740Apr 7, 2019
    risk 0.00cvss epss 0.01

    In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can…

  • CVE-2018-19206Nov 12, 2018
    risk 0.00cvss epss 0.60

    steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.

  • CVE-2018-19205Nov 12, 2018
    risk 0.00cvss epss 0.02

    Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php.

  • CVE-2015-8105Nov 10, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.

  • CVE-2015-1433Feb 3, 2015
    risk 0.00cvss epss 0.03

    program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.

  • CVE-2014-9587Jan 15, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins.