VYPR

Vendor CVEs

Roundcube

All CVEs

99 total · sorted by risk
  • CVE-2017-16651HigKEVNov 9, 2017
    risk 0.62cvss 7.8epss 0.43

    Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target…

  • CVE-2015-2180HigJan 30, 2017
    risk 0.58cvss 8.8epss 0.05

    The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.

  • CVE-2018-9846HigApr 7, 2018
    risk 0.57cvss 8.8epss 0.02

    In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection…

  • CVE-2017-8114HigApr 29, 2017
    risk 0.57cvss 8.8epss 0.03

    Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

  • CVE-2015-2181HigJan 30, 2017
    risk 0.57cvss 8.8epss 0.03

    Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.

  • CVE-2016-4069HigAug 25, 2016
    risk 0.57cvss 8.8epss 0.03

    Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.

  • CVE-2015-8770HigJan 29, 2016
    risk 0.54cvss 7.5epss 0.22

    Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a ..…

  • CVE-2018-1000072HigMar 13, 2018
    risk 0.49cvss 7.5epss 0.02

    iRedMail version prior to commit f04b8ef contains a Insecure Permissions vulnerability in Roundcube Webmail that can result in Exfiltrate a user's password protected secret GPG key file and other important configuration files.. This attack appear to be exploitable via network…

  • CVE-2018-1000071HigMar 13, 2018
    risk 0.49cvss 7.5epss 0.02

    roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.

  • CVE-2016-9920HigDec 8, 2016
    risk 0.49cvss 7.5epss 0.06

    steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated…

  • CVE-2026-48842HigMay 25, 2026
    risk 0.46cvss 8.1epss 0.01

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

  • CVE-2024-42010HigAug 5, 2024
    risk 0.43cvss 7.5epss 0.53

    mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

  • CVE-2026-48844HigMay 25, 2026
    risk 0.42cvss 7.5epss 0.00

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

  • CVE-2026-35391HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their…

  • CVE-2015-5383HigMay 23, 2017
    risk 0.42cvss 7.5epss 0.04

    Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.

  • CVE-2015-8794MedJan 29, 2016
    risk 0.42cvss 6.5epss 0.02

    Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.

  • CVE-2026-48848HigMay 25, 2026
    risk 0.40cvss 7.2epss 0.00

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

  • CVE-2026-48843HigMay 25, 2026
    risk 0.40cvss 7.2epss 0.00

    Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an…

  • CVE-2016-4068MedApr 13, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.

  • CVE-2017-6820MedMar 12, 2017
    risk 0.40cvss 6.1epss 0.01

    rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.

  • CVE-2016-4552MedDec 20, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message.

  • CVE-2015-8793MedJan 29, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than…

  • CVE-2018-16736MedSep 9, 2018
    risk 0.38cvss 5.4epss 0.03

    In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings).

  • CVE-2015-5382MedMay 23, 2017
    risk 0.36cvss 6.5epss 0.03

    program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

  • CVE-2026-48846MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.

  • CVE-2026-48845MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.

  • CVE-2026-35539MedApr 3, 2026
    risk 0.33cvss 6.1epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

  • CVE-2015-5381MedMay 23, 2017
    risk 0.33cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

  • CVE-2015-8864MedApr 13, 2017
    risk 0.33cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.

  • CVE-2026-26079MedFeb 11, 2026
    risk 0.31cvss 4.7epss 0.00

    Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

  • CVE-2026-35540MedApr 3, 2026
    risk 0.28cvss 5.4epss 0.00

    An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

  • CVE-2026-25916MedFeb 9, 2026
    risk 0.28cvss 4.3epss 0.01

    Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

  • CVE-2026-35545MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with…

  • CVE-2026-35544MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

  • CVE-2026-35543MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

  • CVE-2026-35542MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

  • CVE-2026-48849MedMay 25, 2026
    risk 0.22cvss 4.4epss 0.00

    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

  • CVE-2026-35541MedApr 3, 2026
    risk 0.20cvss 4.2epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

  • CVE-2024-42009KEVAug 5, 2024
    risk 0.19cvss epss 0.83

    A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

  • CVE-2020-12641KEVMay 4, 2020
    risk 0.19cvss epss 0.84

    rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

  • CVE-2023-5631KEVOct 18, 2023
    risk 0.18cvss epss 0.73

    Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

  • CVE-2020-13965KEVJun 9, 2020
    risk 0.18cvss epss 0.77

    An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

  • CVE-2026-48847LowMay 25, 2026
    risk 0.17cvss 3.7epss 0.00

    Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

  • CVE-2026-35537LowApr 3, 2026
    risk 0.17cvss 3.7epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

  • CVE-2023-43770KEVSep 22, 2023
    risk 0.17cvss epss 0.58

    Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

  • CVE-2025-49113KEVJun 2, 2025
    risk 0.15cvss epss 0.89

    Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

  • CVE-2021-44026KEVNov 19, 2021
    risk 0.15cvss epss 0.43

    Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

  • CVE-2025-68461KEVDec 18, 2025
    risk 0.14cvss epss 0.20

    Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

  • CVE-2026-35538LowApr 3, 2026
    risk 0.13cvss 3.1epss 0.00

    An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

  • CVE-2024-37383KEVJun 7, 2024
    risk 0.13cvss epss 0.73

    Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

Page 1 of 2