SUSE CVE-2026-35537

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

EUVD-2026-18581

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

GHSA-X4Q5-8J5G-HPJC Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the session handler for redis and memcache. An attacker can perform arbitrary file write operations by submitting crafted session data. Details Serialization is a process of converting an object into...

Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content with animate attributes in an e-mail message. This may lead to information disclosure or access-control bypass...

Roundcube: Bypass of remote image blocking via crafted BODY background attribute

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass...

Incorrect Resource Transfer Between Spheres

Overview Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres in the CSS sanitization process for HTML email messages. An attacker can inject malicious CSS by crafting specially formatted HTML emails that exploit the lack of proper sanitization,...

EUVD-2026-18579

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

Incorrect Resource Transfer Between Spheres

Overview Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres in the processing of HTML email content when handling the background attribute of the BODY element. An attacker can cause information disclosure or bypass access controls by sending a speciall...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

CVE-2026-35541

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

CVE-2026-35544

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets CSS sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important...

CVE-2026-35544

CVE-2026-35544 affects Roundcube Webmail before 1.5.14 and 1.6.14. The issue is insufficient CSS sanitization in HTML emails, which may allow a fixed-position mitigation bypass via the use of !important. CVSS v3.1 base score 5.3 (Network, Low complexity, No privileges, No user interaction). The d...

CVE-2026-35543

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content with animate attributes in an e-mail message. This may lead to information disclosure or access-control bypass...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

Roundcube Webmail 代码问题漏洞

Roundcube Webmail is an open-source browser-based IMAP client developed by Roundcube. It supports address book management, information search, spelling checking, and more. Versions of Roundcube Webmail prior to 1.5.14 and 1.6.14 had code vulnerabilities due to unsafe deserialization, which could...

Roundcube Webmail 安全漏洞

Roundcube Webmail is an open-source browser-based IMAP client developed by Roundcube. It supports address book management, information search, spelling checking, etc. Versions prior to 1.5.14 and 1.6.14 of Roundcube Webmail had security vulnerabilities. These vulnerabilities were caused by improp...

EUVD-2024-50522

Malicious code in bioql PyPI...