VYPR
Vendor

Roundcube

Roundcube is a web-based IMAP email client written in PHP. It uses Ajax throughout its interface and is licensed under the GNU GPL version 3 or later, with exceptions for skins and plugins.

Founded 2008
Products
3
CVEs
99
Across products
153
Status
Private

Products

3

Recent CVEs

99
View all 99 CVEs →
  • CVE-2017-16651HigKEVNov 9, 2017
    risk 0.62cvss 7.8epss 0.43

    Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target…

  • CVE-2015-2180HigJan 30, 2017
    risk 0.58cvss 8.8epss 0.05

    The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.

  • CVE-2018-9846HigApr 7, 2018
    risk 0.57cvss 8.8epss 0.02

    In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection…

  • CVE-2017-8114HigApr 29, 2017
    risk 0.57cvss 8.8epss 0.03

    Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

  • CVE-2015-2181HigJan 30, 2017
    risk 0.57cvss 8.8epss 0.03

    Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.

  • CVE-2016-4069HigAug 25, 2016
    risk 0.57cvss 8.8epss 0.03

    Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.

  • CVE-2015-8770HigJan 29, 2016
    risk 0.54cvss 7.5epss 0.22

    Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a ..…

  • CVE-2018-1000072HigMar 13, 2018
    risk 0.49cvss 7.5epss 0.02

    iRedMail version prior to commit f04b8ef contains a Insecure Permissions vulnerability in Roundcube Webmail that can result in Exfiltrate a user's password protected secret GPG key file and other important configuration files.. This attack appear to be exploitable via network…

  • CVE-2018-1000071HigMar 13, 2018
    risk 0.49cvss 7.5epss 0.02

    roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.

  • CVE-2016-9920HigDec 8, 2016
    risk 0.49cvss 7.5epss 0.06

    steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated…

  • CVE-2026-48842HigMay 25, 2026
    risk 0.46cvss 8.1epss 0.01

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

  • CVE-2024-42010HigAug 5, 2024
    risk 0.43cvss 7.5epss 0.53

    mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

  • CVE-2026-48844HigMay 25, 2026
    risk 0.42cvss 7.5epss 0.00

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

  • CVE-2026-35391HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their…

  • CVE-2015-5383HigMay 23, 2017
    risk 0.42cvss 7.5epss 0.04

    Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.

  • CVE-2015-8794MedJan 29, 2016
    risk 0.42cvss 6.5epss 0.02

    Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.

  • CVE-2026-48848HigMay 25, 2026
    risk 0.40cvss 7.2epss 0.00

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

  • CVE-2026-48843HigMay 25, 2026
    risk 0.40cvss 7.2epss 0.00

    Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an…

  • CVE-2016-4068MedApr 13, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.

  • CVE-2017-6820MedMar 12, 2017
    risk 0.40cvss 6.1epss 0.01

    rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.