VYPR

Webmail

by Roundcube

Source repositories

CVEs (72)

  • CVE-2015-8793MedJan 29, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than…

  • CVE-2015-5382MedMay 23, 2017
    risk 0.36cvss 6.5epss 0.03

    program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

  • CVE-2026-48846MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.

  • CVE-2026-48845MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.

  • CVE-2026-35539MedApr 3, 2026
    risk 0.33cvss 6.1epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

  • CVE-2015-5381MedMay 23, 2017
    risk 0.33cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

  • CVE-2015-8864MedApr 13, 2017
    risk 0.33cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.

  • CVE-2026-35540MedApr 3, 2026
    risk 0.28cvss 5.4epss 0.00

    An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

  • CVE-2026-25916MedFeb 9, 2026
    risk 0.28cvss 4.3epss 0.01

    Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

  • CVE-2026-35545MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with…

  • CVE-2026-35544MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

  • CVE-2026-35543MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

  • CVE-2026-35542MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

  • CVE-2026-48849MedMay 25, 2026
    risk 0.22cvss 4.4epss 0.00

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

  • CVE-2026-35541MedApr 3, 2026
    risk 0.20cvss 4.2epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

  • CVE-2026-48847LowMay 25, 2026
    risk 0.17cvss 3.7epss 0.00

    Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

  • CVE-2026-35537LowApr 3, 2026
    risk 0.17cvss 3.7epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

  • CVE-2025-49113KEVJun 2, 2025
    risk 0.15cvss epss 0.89

    Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

  • CVE-2026-35538LowApr 3, 2026
    risk 0.13cvss 3.1epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

  • CVE-2026-9818May 28, 2026
    risk 0.00cvss epss

    Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.