2040 matches found
Roundcube Webmail - Remote Code Execution
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. id: CVE-2025-49113 info: name: Roundcube Webmail - Remote...
Roundcube Webmail - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in messagebody in program/actions/mail/show.php. id: CVE-2024-42009 info: name:...
Roundcube Webmail - Command Injection
Roundcube Webmail before 1.4.4 contains a command injection caused by shell metacharacters in configuration settings for imconvertpath or imidentifypath, letting attackers execute arbitrary code, exploit requires attacker to control configuration settings. id: CVE-2020-12641 info: name: Roundcube...
CVE-2025-42009
creationtimestamp| type| source ---|---|--- 2026-07-10 20:15:07+00:00| seen| https://cyber.gc.ca/en/alerts-advisories/vulnerability-impacting-roundcube-webmail-cve-2025-49113...
PT-2026-57342
Name of the Vulnerable Software and Affected Versions RoundCube versions prior to 1.7 Description A stored cross-site scripting XSS flaw exists where an unescaped attachment MIME type is displayed on the attachment-validation warning page. An attacker can craft a malicious MIME type string that,...
PT-2026-56922
Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.6.17 Roundcube Webmail versions prior to 1.7.2 Description Stored Cross-Site Scripting XSS occurs via a crafted plain-text email message. This allows attacker-controlled JavaScript to execute within the...
Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in...
FreeBSD : Roundcube -- Multiple vulnerabilities (d5578ba4-7889-11f1-b72c-8447094a420f)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the d5578ba4-7889-11f1-b72c-8447094a420f advisory. The Rouncube project reports: See links for more detail Tenable has extracted the preceding...
Roundcube -- Multiple vulnerabilities
The Rouncube project reports: See links for more detail...
CVE-2026-57517
Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges...
CVE-2026-57517
Control Web Panel prior to version 0.9.8.1225 is affected by CVE-2026-57517, a blind SQL injection via the userRes POST parameter at the user endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leveraging MySQL root privileges obtained...
CVE-2026-57517
Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges...
Exploit for CVE-2026-48849
CVE-2026-48849 - Stored XSS, HTML Injection & CSS Injection in...
Security update for roundcubemail (important)
openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2026:0183-1 Rating: important References: 1266329 1266331 1266332 1266333 1266334 1266335 1266336 1266337 Cross-References: CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845 CVE-2026-48846...
MGASA-2026-0194 Updated roundcubemail packages fix security vulnerabilities
Multiple security vulnerabilities were discovered in RoundCube Webmail, which could result in cross-site scripting, SQL injection, SSRF bypass, information disclosure, denial of service or code injection...
Updated roundcubemail packages fix security vulnerabilities
Multiple security vulnerabilities were discovered in RoundCube Webmail, which could result in cross-site scripting, SQL injection, SSRF bypass, information disclosure, denial of service or code injection...
[SECURITY] Fedora 43 Update: roundcubemail-1.6.16-1.fc43
RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in...
[SECURITY] Fedora 44 Update: roundcubemail-1.7.1-1.fc44
RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in...
Fedora 44 : roundcubemail (2026-2b956d89d3)
The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-2b956d89d3 advisory. Release 1.7.1 - Enigma: Support automatic public key lookup import using HKP v1 protocol 5314 - Managesieve: Fix error when a mail message contains...
openSUSE 16 Security Update : roundcubemail (openSUSE-SU-2026:20852-1)
The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20852-1 advisory. Changes in roundcubemail: - update to 1.6.16 - Fix potential too long value in IMAP ID command 10136 - Security: Fix stored XSS/HTML/CSS injecti...