Roundcubemail
by Roundcube
Source repositories
CVEs (80)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-68460 | 0.00 | — | 0.00 | Dec 18, 2025 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. | |||
| CVE-2024-37385 | 0.00 | — | 0.01 | Jun 7, 2024 | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. | |||
| CVE-2023-47272 | 0.00 | — | 0.01 | Nov 5, 2023 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | |||
| CVE-2023-3222 | 0.00 | — | 0.01 | Sep 4, 2023 | Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all… | |||
| CVE-2023-3221 | 0.00 | — | 0.00 | Sep 4, 2023 | User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database. | |||
| CVE-2021-46144 | 0.00 | — | 0.01 | Jan 6, 2022 | Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. | |||
| CVE-2021-44025 | 0.00 | — | 0.01 | Nov 19, 2021 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | |||
| CVE-2020-18671 | 0.00 | — | 0.01 | Jun 24, 2021 | Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | |||
| CVE-2020-18670 | 0.00 | — | 0.01 | Jun 24, 2021 | Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | |||
| CVE-2021-26925 | 0.00 | — | 0.01 | Feb 9, 2021 | Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. | |||
| CVE-2020-16145 | 0.00 | — | 0.02 | Aug 12, 2020 | Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. | |||
| CVE-2020-15562 | 0.00 | — | 0.02 | Jul 6, 2020 | An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element… | |||
| CVE-2020-12626 | 0.00 | — | 0.02 | May 4, 2020 | An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. | |||
| CVE-2019-15237 | 0.00 | — | 0.01 | Aug 20, 2019 | Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. | |||
| CVE-2019-10740 | 0.00 | — | 0.01 | Apr 7, 2019 | In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can… | |||
| CVE-2018-19206 | 0.00 | — | 0.60 | Nov 12, 2018 | steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment. | |||
| CVE-2018-19205 | 0.00 | — | 0.02 | Nov 12, 2018 | Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. | |||
| CVE-2015-8105 | 0.00 | — | 0.01 | Nov 10, 2015 | Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. | |||
| CVE-2015-1433 | 0.00 | — | 0.03 | Feb 3, 2015 | program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. | |||
| CVE-2014-9587 | 0.00 | — | 0.02 | Jan 15, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. |
- CVE-2025-68460Dec 18, 2025risk 0.00cvss —epss 0.00
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
- CVE-2024-37385Jun 7, 2024risk 0.00cvss —epss 0.01
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
- CVE-2023-47272Nov 5, 2023risk 0.00cvss —epss 0.01
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
- CVE-2023-3222Sep 4, 2023risk 0.00cvss —epss 0.01
Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all…
- CVE-2023-3221Sep 4, 2023risk 0.00cvss —epss 0.00
User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.
- CVE-2021-46144Jan 6, 2022risk 0.00cvss —epss 0.01
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.
- CVE-2021-44025Nov 19, 2021risk 0.00cvss —epss 0.01
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
- CVE-2020-18671Jun 24, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
- CVE-2020-18670Jun 24, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
- CVE-2021-26925Feb 9, 2021risk 0.00cvss —epss 0.01
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
- CVE-2020-16145Aug 12, 2020risk 0.00cvss —epss 0.02
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
- CVE-2020-15562Jul 6, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element…
- CVE-2020-12626May 4, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
- CVE-2019-15237Aug 20, 2019risk 0.00cvss —epss 0.01
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
- CVE-2019-10740Apr 7, 2019risk 0.00cvss —epss 0.01
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can…
- CVE-2018-19206Nov 12, 2018risk 0.00cvss —epss 0.60
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
- CVE-2018-19205Nov 12, 2018risk 0.00cvss —epss 0.02
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php.
- CVE-2015-8105Nov 10, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.
- CVE-2015-1433Feb 3, 2015risk 0.00cvss —epss 0.03
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.
- CVE-2014-9587Jan 15, 2015risk 0.00cvss —epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins.
Page 3 of 4