Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
RoundcubeWebmail

80 matches found

CVE
CVEadded 2017/11/09 2:0 p.m.1112 views

CVE-2017-16651

CVE-2017-16651 - Roundcube Webmail file disclosure : Authenticated users can read arbitrary files on the host filesystem via the file-based attachment plugin workflow (_task=settings&_action=upload-display&_from=timezone). Affected versions include Roundcube before 1.1.10, 1.2.x before 1.2.7, and...

7.8CVSS7.2AI score0.42831EPSS
In wildWeb
CVE
CVEadded 2020/12/28 7:37 p.m.696 views

CVE-2020-35730

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability in rcube_string_replacer.php (linkref_addindex). An attacker can embed JavaScript in a plain-text email link reference, leading to script execution in the victim’s browser. Affected: Roundcube <1.2.13, <1.3.16 for 1.3.x, ...

6.1CVSS6.1AI score0.32365EPSS
In wild
CVE
CVEadded 2021/11/19 3:47 a.m.688 views

CVE-2021-44026

CVE-2021-44026 concerns Roundcube Webmail, where versions prior to 1.3.17 and 1.4.x prior to 1.4.12 are vulnerable to SQL injection via search or search_params. The issue is documented in multiple advisories and CVE trackers, with Debian and Fedora indicating fixes in 1.2.3+dfsg.1-4+deb9u9 / 1.4....

9.8CVSS9.6AI score0.42908EPSS
In wild
CVE
CVEadded 2020/05/04 2:58 p.m.619 views

CVE-2020-12641

Roundcube Webmail is affected by CVE-2020-12641 due to an injection vulnerability in rcube_image.php. The issue allows an attacker to execute arbitrary code by supplying shell metacharacters in configuration settings for im_convert_path or im_identify_path. The documented impact is remote code ex...

9.8CVSS9.5AI score0.84456EPSS
In wild
CVE
CVEadded 2017/05/23 3:56 a.m.565 views

CVE-2015-5383

Summary: CVE-2015-5383 affects Roundcube Webmail 1.1.x before 1.1.2, where a remote attacker can read files from the config, temp, or logs directories to obtain sensitive information. The root cause is an information-disclosure path that allows unintended access to local files. The vulnerability ...

7.5CVSS7.1AI score0.03767EPSS
CVE
CVEadded 2025/06/02 12:0 a.m.562 views

CVE-2025-49113

CVE-2025-49113 affects Roundcube Webmail (Roundscube core) with PHP Object Deserialization via the unvalidated _from parameter in actions/settings/upload.php. The issue allows remote code execution by an authenticated user. Public advisories confirm RCE implications and that patches were released...

9.9CVSS8AI score0.89462EPSS
In wildWeb
CVE
CVEadded 2023/10/18 2:51 p.m.485 views

CVE-2023-5631

CVE-2023-5631 affects Roundcube Webmail. The issue is a stored XSS via an HTML e-mail message containing a crafted SVG, caused by logic in Roundcube’s rcube_washtml.php. Affected versions are Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4. Successful exploitation could allow ...

6.1CVSS5.7AI score0.70879EPSS
In wild
CVE
CVEadded 2024/08/05 12:0 a.m.293 views

CVE-2024-42009

CVE-2024-42009 is a high-severity (CRITICAL) Cross-Site Scripting vulnerability in RoundCube Webmail (affected: up to 1.5.7 and 1.6.x up to 1.6.7) allowing a remote attacker to steal/send a victim’s emails via a crafted message that abuses a desanitization issue in message_body() of program/actio...

9.3CVSS6AI score0.82853EPSS
In wildWeb
CVE
CVEadded 2025/12/18 5:0 a.m.257 views

CVE-2025-68461

CVE-2025-68461 affects Roundcube Webmail: cross-site scripting via the animate element in an SVG document, impacting Roundcube Webmail < 1.6.12 and

7.2CVSS6.1AI score0.19769EPSS
In wild
CVE
CVEadded 2023/09/22 12:0 a.m.244 views

CVE-2023-43770

Roundcube Webmail vulnerability CVE-2023-43770 is a cross-site scripting (XSS) issue in Roundcube prior to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3. The root cause is behavior in program/lib/Roundcube/rcube_string_replacer.php that allows XSS via crafted links in text/plain emails, ...

6.1CVSS5.8AI score0.56895EPSS
In wild
CVE
CVEadded 2020/06/09 2:45 a.m.220 views

CVE-2020-13965

CVE-2020-13965 concerns Roundcube Webmail prior to 1.3.12 and prior to 1.4.5, where an XSS can be triggered via a malicious XML attachment because text/xml is among allowed preview types. The vulnerability affects Roundcube Webmail versions before these fixed releases; remediation is to upgrade t...

6.3CVSS7AI score0.76596EPSS
In wildWeb
CVE
CVEadded 2020/05/04 1:57 a.m.211 views

CVE-2020-12625

CVE-2020-12625 concerns Roundcube Webmail up to version 1.4.3, with a cross-site scripting (XSS) vulnerability in rcube_washtml.php that allows JavaScript in HTML message CDATA to be executed. Public advisories (e.g., Ubuntu USN-5182-1, Debian DSA-4674-1, openSUSE openSUSE-2020-1516) confirm the ...

6.1CVSS5.8AI score0.02782EPSS
CVE
CVEadded 2020/05/04 2:58 p.m.198 views

CVE-2020-12640

CVE-2020-12640 affects Roundcube Webmail prior to 1.4.4. The vulnerability arises from a directory traversal in a plugin name passed to rcube_plugin_api.php, enabling local file inclusion and arbitrary code execution. Reported impact aligns with partial confidentiality, integrity, and availabilit...

9.8CVSS9.1AI score0.06727EPSS
CVE
CVEadded 2020/07/06 11:26 a.m.189 views

CVE-2020-15562

CVE-2020-15562 affects Roundcube Webmail and enables cross-site scripting (XSS) via a crafted HTML e-mail that uses the xmlns attribute of a HEAD element when an SVG is present. Affected releases include Roundcube Webmail < 1.2.11, 1.3.x < 1.3.14, and 1.4.x

6.1CVSS5.7AI score0.02073EPSS
CVE
CVEadded 2020/08/12 12:29 p.m.179 views

CVE-2020-16145

CVE-2020-16145 affects Roundcube Webmail prior to 1.3.15 and 1.4.8, where a crafted SVG in HTML messages can trigger stored XSS during display. Advisories confirm fixes in 1.3.15 and 1.4.8; remediation is to upgrade to these versions or newer. Occurrence details are supported by OpenSUSE/Tenable/...

6.1CVSS5.7AI score0.01945EPSS
CVE
CVEadded 2021/06/24 6:7 p.m.178 views

CVE-2020-18670

CVE-2020-18670 affects Roundcube Webmail with stored XSS in /installer/test.php via database host/user input. Publicly documented impact is XSS vulnerability in Roundcube 1.3.x/LTS releases, with openSUSE advisories noting a fix by upgrading to Roundcube 1.3.16 (security update openSUSE-SU-2021:1...

5.4CVSS5.6AI score0.0092EPSS
Web
CVE
CVEadded 2024/06/07 12:0 a.m.171 views

CVE-2024-37383

CVE-2024-37383 affects Roundcube Webmail: an XSS caused by improper handling of SVG animate attributes in messages. Affected versions are Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7. Public details include a stored XSS instance reported for Roundcube 1.6.6 (Exploit-DB). Debian advisorie...

6.1CVSS6.1AI score0.73296EPSS
In wild
CVE
CVEadded 2021/06/24 6:14 p.m.170 views

CVE-2020-18671

Summary: CVE-2020-18671 is a Cross Site Scripting (XSS) vulnerability in Roundcube Mail that can be triggered via the SMTP config path in /installer/test.php. Connected sources (OSV/OpenSUSE advisories) confirm affected versions up to 1.4.x and indicate remediation by upgrading to Roundcube 1.3.1...

5.4CVSS5.5AI score0.00814EPSS
CVE
CVEadded 2019/04/07 2:36 p.m.162 views

CVE-2019-10740

CVE-2019-10740 affects Roundcube Webmail prior to 1.3.10: an attacker who has access to S/MIME or PGP encrypted emails can wrap the encrypted parts into sub-parts of a crafted multipart message. The attacker can hide these parts using HTML/CSS or ASCII newlines and resend the modified multipart e...

4.3CVSS5.3AI score0.00771EPSS
CVE
CVEadded 2019/08/20 12:39 a.m.153 views

CVE-2019-15237

CVE-2019-15237 affects Roundcube Webmail up to version 1.3.9, where Punycode xn-- domain names are mishandled, enabling homograph-like domain name confusion. Public sources in the connected documents corroborate a fix beyond 1.3.9: Fedora advisory FEDORA-2019-d9c2f1ec70 and Gentoo GLSA-202507-10 ...

7.4CVSS7.2AI score0.00927EPSS
CVE
CVEadded 2024/08/05 12:0 a.m.145 views

CVE-2024-42008

CVE-2024-42008 is a Cross‑Site Scripting flaw in Roundcube’s rcmail_action_mail_get->run() that affects Roundcube < = 1.5.7 and 1.6.x

9.3CVSS6.1AI score0.32265EPSS
Web
CVE
CVEadded 2024/06/07 3:24 a.m.143 views

CVE-2024-37385

Affected software: Roundcube Webmail on Windows. Vulnerability: command injection in im_convert_path and im_identify_path present in Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7, due to an incomplete fix for CVE-2020-12641. Impact (per CVSS): high confidentiality, integrity, and availabi...

9.8CVSS9.8AI score0.01477EPSS
CVE
CVEadded 2016/12/08 6:0 p.m.124 views

CVE-2016-9920

CVE-2016-9920 affects Roundcube before 1.1.7 and 1.2.x before 1.2.3. When no SMTP server is configured and sendmail is enabled, steps/mail/sendmail.inc does not properly restrict custom envelope-from addresses on the sendmail command line, allowing a remote authenticated user to execute arbitrary...

7.5CVSS7.5AI score0.05621EPSS
Web
CVE
CVEadded 2020/05/04 1:57 a.m.117 views

CVE-2020-12626

Roundcube Webmail (Roundcube Webmail) CVE-2020-12626 is a CSRF vulnerability where an attacker can cause an authenticated user to be logged out by abusing POST requests. The issue arises from incorrect handling of login/logout POSTs and is documented across multiple connected sources, including D...

6.5CVSS6.3AI score0.01831EPSS
CVE
CVEadded 2017/04/29 7:0 p.m.115 views

CVE-2017-8114

CVE-2017-8114: Roundcube Webmail vulnerability where authenticated users can arbitrarily reset passwords due to an improperly restricted exec call in the password plugin’s virtualmin and sasl drivers. Affected: <1.0.11, 1.1.x <1.1.9, 1.2.x

8.8CVSS8.5AI score0.03471EPSS
CVE
CVEadded 2013/11/05 6:0 p.m.112 views

CVE-2013-6172

CVE-2013-6172 affects Roundcube Webmail prior to 0.9.5 and 0.8.7. The vulnerability is in steps/utils/save_pref.inc and allows remote attackers to modify configuration settings via the _session parameter, enabling reading arbitrary files, SQL injection, and arbitrary code execution. The open advi...

7.5CVSS7.8AI score0.02873EPSS
Web
CVE
CVEadded 2021/11/19 3:47 a.m.111 views

CVE-2021-44025

Roundcube webmail vulnerability CVE-2021-44025 (XSS) and CVE-2021-44026 (SQL injection) affect Roundcube before 1.3.17 and 1.4.x before 1.4.12. The XSS is triggered by handling an attachment filename extension in a MIME type warning message; the SQLi affects search/search_params handling. Publicl...

6.1CVSS7.2AI score0.01047EPSS
CVE
CVEadded 2018/05/16 7:0 p.m.107 views

CVE-2017-17688

CVE-2017-17688 concerns an OpenPGP CFB gadget/malleability attack (EFAIL) that can lead to plaintext exfiltration from encrypted emails. Connected advisories show Enigmail/OpenPGP patches (e.g., openSUSE SUSE/OpenSUSE-2019-368/395; Thunderbird enigmail updates) addressing this vulnerability by ti...

5.9CVSS5.7AI score0.05572EPSS
CVE
CVEadded 2023/11/05 12:0 a.m.106 views

CVE-2023-47272

CVE-2023-47272 affects Roundcube Webmail (1.5.x before 1.5.6 and 1.6.x before 1.6.5). The underlying issue is improper handling of header values (Content-Type/Content-Disposition) when processing attachments, enabling a cross-site scripting (XSS) vulnerability via attachment preview or download. ...

6.1CVSS5.7AI score0.00641EPSS
CVE
CVEadded 2018/11/12 5:0 p.m.104 views

CVE-2018-19206

CVE-2018-19206 affects Roundcube Webmail: a cross‑site scripting vulnerability in how HTML attachments are parsed, via crafted content that can execute when an onload attribute is used in a BODY tag. Affected are Roundcube versions before 1.3.8 (and, per Debian advisories, prior patches and rela...

6.1CVSS5.7AI score0.60162EPSS
CVE
CVEadded 2008/12/17 2:0 a.m.103 views

CVE-2008-5619

CVE-2008-5619 affects RoundCube Webmail (versions 0.2-1 alpha and 0.2-3 beta) via the html2text.php integration that uses the chuggnutt HTML-to-text library. The underlying issue is the use of preg_replace with the eval modifier, allowing remote code execution when crafted input is processed. Exp...

10CVSS7.7AI score0.54003EPSS
Web
CVE
CVEadded 2018/04/07 9:0 p.m.97 views

CVE-2018-9846

CVE-2018-9846 affects Roundcube versions 1.2.0–1.3.5 with the archive plugin enabled. The root cause is improper sanitization of the user-controlled _uid parameter in archive.php (request _task=mail&_mbox=INBOX&_action=plugin.move2archive), allowing an MX/IMAP command injection by appending comma...

8.8CVSS8.7AI score0.02289EPSS
CVE
CVEadded 2020/06/09 2:45 a.m.95 views

CVE-2020-13964

CVE-2020-13964 affects Roundcube Webmail prior to 1.3.12 and prior to 1.4.5 for 1.4.x; the issue is an HTML/XSS risk in include/rcmail_output_html.php via the username template object. Patches are released: Roundcube 1.3.12 and 1.4.5 (and 1.4.6 in some advisories). Remediation is to upgrade to th...

6.1CVSS7.1AI score0.01038EPSS
CVE
CVEadded 2025/02/03 12:0 a.m.93 views

CVE-2024-57004

CVE-2024-57004 affects Roundcube Webmail 1.6.9. An XSS exists where remote authenticated users can upload a malicious file as an email attachment, with the XSS triggered when visiting the SENT session. The description specifies the vulnerable component is the attachment upload path and the conseq...

6.1CVSS4.9AI score0.27762EPSS
CVE
CVEadded 2024/06/07 12:0 a.m.82 views

CVE-2024-37384

CVE-2024-37384 affects Roundcube Webmail: versions before 1.5.7 and 1.6.x before 1.6.7 are vulnerable. The issue allows Cross-Site Scripting via list columns from user preferences. The connected documents include Debian/Ubuntu/Nessus and OpenVAS advisories that corroborate the vulnerability and i...

6.1CVSS6.1AI score0.00498EPSS
CVE
CVEadded 2017/01/30 10:0 p.m.80 views

CVE-2015-2180

The CVE-2015-2180 issue affects Roundcube’s Password plugin: the DBMail driver accepts a password containing shell metacharacters, enabling remote command execution. This is tied to Roundcube versions before 1.1.0. Reported CVSS scores indicate a HIGH impact (up to 8.8–9.0) with network access, l...

9CVSS8.9AI score0.04714EPSS
CVE
CVEadded 2017/04/13 2:0 p.m.79 views

CVE-2016-4068

CVE-2016-4068 is an XSS vulnerability in Roundcube Webmail, affecting versions before 1.0.9 and 1.1.x before 1.1.5. An attacker can inject arbitrary script/HTML via a crafted SVG, enabling remote code execution in the context of the user’s browser. The issue stems from insufficient input validati...

6.1CVSS5.9AI score0.02481EPSS
CVE
CVEadded 2021/02/09 8:53 a.m.77 views

CVE-2021-26925

CVE-2021-26925 affects Roundcube Webmail prior to 1.4.11, enabling cross-site scripting via crafted CSS token sequences while rendering HTML emails. Public advisories (Mageia/Fedora) confirm the fix in 1.4.11. Remediate by upgrading Roundcube to 1.4.11 or newer; exploitation status is not describ...

5.4CVSS5AI score0.01006EPSS
CVE
CVEadded 2018/11/12 5:0 p.m.75 views

CVE-2018-19205

CVE-2018-19205 affects Roundcube before 1.3.7, where processing of GnuPG MDC integrity-protection warnings in the Enigma driver (plugins/enigma/lib/enigma_driver_gnupg.php) can leak sensitive information. The issue is tied to a related CVE-2017-17688 and is mitigated by updating Roundcube to vers...

7.5CVSS5.7AI score0.016EPSS
CVE
CVEadded 2014/02/08 12:0 a.m.74 views

CVE-2013-1904

CVE-2013-1904 affects Roundcube Webmail. Affected: steps/mail/sendmail.inc contains an absolute path traversal flaw in the _value parameter of the generic_message_footer setting used during a save-perf action, enabling remote attackers to read arbitrary files. Impact exposed in versions prior to ...

5CVSS6.5AI score0.02287EPSS
Web
CVE
CVEadded 2015/02/03 4:0 p.m.71 views

CVE-2015-1433

CVE-2015-1433 affects Roundcube (Roundcube Webmail) where the file program/lib/Roundcube/rcube_washtml.php mishandles quoting in the HTML style attribute, enabling remote XSS via email content. The vulnerability arises from incorrect quotation logic during sanitization of the style HTML attribute...

4.3CVSS7.8AI score0.03279EPSS
Web
CVE
CVEadded 2017/01/30 10:0 p.m.68 views

CVE-2015-2181

CVE-2015-2181 affects Roundcube including the Password plugin DBMail driver. The vulnerability is a buffer overflow in the DBMail driver that exists in Roundcube before version 1.1.0 and could allow remote attackers to cause unspecified impact via the password or username fields. The connected do...

8.8CVSS8.9AI score0.02891EPSS
CVE
CVEadded 2017/04/13 2:0 p.m.67 views

CVE-2015-8864

CVE-2015-8864 is an XSS vulnerability in Roundcube Webmail, exploitable through a crafted SVG. Affected products are Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5. The issue allows remote attackers to inject arbitrary web script or HTML. The description explicitly notes this is a separate...

6.1CVSS5.9AI score0.0267EPSS
CVE
CVEadded 2009/02/03 11:0 p.m.66 views

CVE-2009-0413

CVE-2009-0413 is an XSS vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable. An attacker could inject arbitrary HTML/script by exploiting the background attribute in HTML emails, leading to script execution in a user’s browser context. Public records show CVSS 2.0 base score 4.3 (AV:N/A...

4.3CVSS5.5AI score0.0198EPSS
CVE
CVEadded 2012/08/25 10:0 a.m.65 views

CVE-2012-3507

CVE-2012-3507 is a cross-site scripting (XSS) vulnerability in RoundCube Webmail prior to 0.8.0 when using the Larry skin, allowing remote attackers to inject arbitrary script or HTML via the email subject. Public reports in openSUSE and Fedora advisories indicate updates exist to address this is...

2.6CVSS5.5AI score0.02129EPSS
Web
CVE
CVEadded 2015/01/15 3:0 p.m.64 views

CVE-2014-9587

CVE-2014-9587 affects Roundcube Webmail prior to version 1.0.4, exposing multiple CSRF vulnerabilities that allow remote attackers to hijack user authentication via vectors tied to address book operations, ACL, or Managesieve plugins. Public references from SUSE/OpenSUSE and Debian indicate that ...

6.8CVSS9AI score0.02136EPSS
CVE
CVEadded 2011/11/03 3:0 p.m.63 views

CVE-2011-4078

CVE-2011-4078 affects Roundcube Webmail

5CVSS6.8AI score0.02258EPSS
Web
CVE
CVEadded 2016/08/25 6:0 p.m.63 views

CVE-2016-4069

Roundcube Webmail is affected by CVE-2016-4069 (CSRF) in versions before 1.1.5. The vulnerability allows remote attackers to hijack user authentication for requests that download attachments, leading to a denial of service (disk consumption) via unspecified vectors. The available documents do not...

8.8CVSS8.5AI score0.02713EPSS
CVE
CVEadded 2012/08/25 10:0 a.m.62 views

CVE-2012-3508

CVE-2012-3508 is an XSS vulnerability in Roundcube Webmail 0.8.0 affecting the HTML email rendering path (program/lib/washtml.php), where attackers can inject script/HTML via a javascript: href in HTML-formatted emails. Connected advisories confirm remediation patches: updates to Roundcube 0.8.1 ...

4.3CVSS5.5AI score0.04198EPSS
CVE
CVEadded 2018/03/13 3:0 p.m.61 views

CVE-2018-1000071

Roundcube Webmail

7.5CVSS7.4AI score0.0171EPSS
Total number of security vulnerabilities80