Lucene search
+L
RoundcubeWebmail

81 matches found

CVE
CVE
added 2017/03/12 4:57 a.m.66 views

CVE-2017-6820

CVE-2017-6820 affects Roundcube’s webmail software via rcube_utils.php. The vulnerability is a cross-site scripting (XSS) flaw caused by a crafted CSS token sequence inside an SVG element, impacting Roundcube versions before 1.1.8 and 1.2.x before 1.2.4. Exploitation details indicate a remote att...

6.1CVSS5.7AI score0.01293EPSS
Web
CVE
CVE
added 2018/03/13 3:0 p.m.64 views

CVE-2018-1000071

Roundcube Webmail

7.5CVSS7.4AI score0.0171EPSS
CVE
CVE
added 2010/01/29 6:0 p.m.63 views

CVE-2010-0464

CVE-2010-0464 affects Roundcube 0.3.1 and earlier, where the browser is not instructed to avoid DNS prefetching for domain names in email messages, enabling remote attackers to infer the user’s network location by DNS requests. Public references include Fedora backport and Debian backports adviso...

5CVSS6.3AI score0.01962EPSS
CVE
CVE
added 2013/02/24 9:0 p.m.63 views

CVE-2012-6121

CVE-2012-6121 is a cross-site scripting (XSS) vulnerability in Roundcube Webmail prior to 0.8.5. An attacker can inject arbitrary script/html via data:text or vbscript links, potentially affecting users who click such links. The issue is documented in multiple connected sources (e.g., SUSE securi...

4.3CVSS5.4AI score0.02048EPSS
CVE
CVE
added 2017/05/23 3:56 a.m.63 views

CVE-2015-5381

Summary: The CVE-2015-5381 entry affects Roundcube Webmail 1.1.x before 1.1.2, where a cross-site scripting (XSS) vulnerability exists in the file program/include/rcmail.php . A remote attacker can exploit this by supplying a crafted payload to the _mbox parameter at the default URI, enabling inj...

6.1CVSS6.1AI score0.02533EPSS
Web
CVE
CVE
added 2016/01/29 7:0 p.m.63 views

CVE-2015-8793

The CVE refers to a Cross-site scripting (XSS) vulnerability in Roundcube Webmail affecting the file program/include/rcmail.php, specifically in versions before 1.0.6 and 1.1.x before 1.1.2. The underlying issue is an XSS vector via the _mbox parameter in a mail task to the default URL, enabling ...

6.1CVSS5.9AI score0.01388EPSS
Web
CVE
CVE
added 2005/12/20 2:0 a.m.59 views

CVE-2005-4368

CVE-2005-4368 affects Roundcube Webmail Alpha. When rcube_config['debug_level'] is set to 1 (default high verbose), an attacker can trigger an invalid_task to cause an error message that discloses the full application path. The available connected documents confirm the vulnerability description a...

5CVSS6.5AI score0.01409EPSS
CVE
CVE
added 2009/11/25 9:22 p.m.58 views

CVE-2009-4076

CVE-2009-4076 is a CSRF vulnerability in Roundcube Webmail 0.2.2 and earlier that could allow remote attackers to hijack a user’s authentication for requests that modify user information. Connected documents indicate a remediation: Fedora 10 security advisory MDVSA-2010:015 fixes CVE-2009-4076 (a...

6.8CVSS6.5AI score0.01342EPSS
CVE
CVE
added 2011/04/08 3:0 p.m.57 views

CVE-2011-1491

CVE-2011-1491 affects Roundcube Webmail prior to 0.5.1. The issue is in the login form: an authenticated-but-unintended login sequence can be exploited to obtain sensitive information when a victim logs into the attacker’s account and composes an email, effectively a login CSRF vulnerability. Con...

3.5CVSS5.6AI score0.01519EPSS
CVE
CVE
added 2015/11/10 4:0 p.m.57 views

CVE-2015-8105

CVE-2015-8105 affects Roundcube webmail, specifically the vulnerable component is program/js/app.js. The XSS flaw arises in the drag-and-drop file upload via the filename field, impacting Roundcube versions before 1.0.7 and 1.1.x before 1.1.3. Exploitation requires remote authenticated access, en...

3.5CVSS6.3AI score0.01459EPSS
CVE
CVE
added 2008/12/17 2:0 a.m.56 views

CVE-2008-5620

CVE-2008-5620 affects RoundCube Webmail (roundcubemail) prior to 0.2-beta. The vulnerability allows remote attackers to cause a denial of service via crafted size parameters used to generate a quota image, leading to memory consumption. Public references in the initial entry point to a DoS scenar...

7.8CVSS6.2AI score0.02576EPSS
CVE
CVE
added 2011/04/08 3:0 p.m.56 views

CVE-2011-1492

CVE-2011-1492 affects Roundcube Webmail prior to 0.5.1. The issue is in steps/utils/modcss.inc, where requests for an external CSS stylesheet are not properly verified, allowing remote authenticated users to trigger arbitrary outbound TCP connections from the server and potentially obtain sensiti...

5.5CVSS6.2AI score0.01763EPSS
CVE
CVE
added 2017/05/23 3:56 a.m.56 views

CVE-2015-5382

The CVE-2015-5382 vulnerability affects Roundcube Webmail prior to 1.0.6 and 1.1.x prior to 1.1.2. Affected component: program/steps/addressbook/photo.inc. Root cause: information disclosure via the _alt parameter when uploading a vCard, allowing remote authenticated users to read arbitrary files...

6.5CVSS6.5AI score0.03312EPSS
Web
CVE
CVE
added 2016/12/20 10:0 p.m.55 views

CVE-2016-4552

CVE-2016-4552 affects Roundcube Webmail prior to 1.2.0. The vulnerability is a cross-site scripting (XSS) flaw that allows an attacker to inject arbitrary web script or HTML via the href attribute in an area tag within an e-mail message. Public references consistently describe it as a remote XSS ...

6.1CVSS6AI score0.01372EPSS
CVE
CVE
added 2007/12/12 1:0 a.m.54 views

CVE-2007-6321

The CVE-2007-6321 issue affects Roundcube webmail (0.1rc2 and earlier) where IE could execute XSS via style sheets containing expression commands. Connected OpenVAS/Nessus entries reference Fedora updates (FEDORA-2008-5333/5342/5315) that include XSS fixes for roundcubemail, indicating a patch-ba...

4.3CVSS5.4AI score0.05439EPSS
CVE
CVE
added 2012/08/25 10:0 a.m.54 views

CVE-2012-4668

CVE-2012-4668 affects Roundcube Webmail (versions 0.8.1 and earlier). The vulnerability is a cross-site scripting (XSS) flaw that allows remote attackers to inject arbitrary script or HTML via the email signature field. The root cause is insufficient sanitization/exposure of the email signature i...

4.3CVSS5.8AI score0.03716EPSS
CVE
CVE
added 2009/11/25 9:22 p.m.53 views

CVE-2009-4077

CVE-2009-4077 : Cross-site request forgery (CSRF) in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack authentication of unspecified users for requests that send arbitrary emails via unspecified vectors. The issue affects Roundcube Webmail up to version 0.2.2; Fedora advisorie...

6.8CVSS6.9AI score0.01342EPSS
CVE
CVE
added 2013/08/29 10:0 a.m.52 views

CVE-2013-5645

CVE-2013-5645 pertains to multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before version 0.9.3. The issues allow user-assisted remote attackers to inject arbitrary script/HTML via the body of a message viewed in new or draft mode (compose.inc) and may also enable injectio...

4.3CVSS5.2AI score0.0188EPSS
Web
CVE
CVE
added 2012/06/04 3:0 p.m.50 views

CVE-2012-1253

CVE-2012-1253 is an XSS vulnerability in Roundcube Webmail before 0.7 where Internet Explorer handles an embedded image attachment; remote attackers could inject script or HTML. NVD lists a low base score (2.6, AV:N/AC:H/Au:N/I:P/A:N). Fedora/OpenVAS entries indicate Fedora advisories for roundcu...

2.6CVSS5.5AI score0.01812EPSS
CVE
CVE
added 2013/08/29 10:0 a.m.43 views

CVE-2013-5646

Roundcube webmail 1.0-git is affected by a cross-site scripting (XSS) vulnerability that allows remote authenticated users to inject arbitrary web script or HTML through the Name field of an addressbook group. The linked sources consistently describe XSS in this component/version, but do not prov...

3.5CVSS5.4AI score0.01152EPSS
CVE
CVE
added 2026/04/03 3:28 a.m.40 views

CVE-2026-35537

The CVE-2026-35537 vulnerability affects Roundcube Webmail prior to 1.5.14 and 1.6.14, where unsafe deserialization in the redis/memcache session handler can allow unauthenticated attackers to perform arbitrary file writes via crafted session data. Several advisories confirm this issue and refere...

7.5CVSS6AI score0.00475EPSS
CVE
CVE
added 2025/12/18 4:54 a.m.37 views

CVE-2025-68460

Roundcube Webmail is vulnerable to information disclosure in the HTML style sanitizer for releases before 1.5.12 and 1.6.x before 1.6.12. Multiple advisories (Debian DSA-6087, DLA-4415-1; Fedora packages roundcubemail 1.6.12; EUVD-2025-204036; NVD entry CVE-2025-68460) confirm the issue and point...

7.5CVSS5.8AI score0.00249EPSS
CVE
CVE
added 2026/04/03 3:50 a.m.33 views

CVE-2026-35541

Roundcube Webmail is affected in versions prior to 1.5.14 and 1.6.14 due to an incorrect password comparison in the password plugin, which can cause a type confusion and allow changing a password without the old one. Mitigation: upgrade to the patched releases (1.5.14 or 1.6.14); refer to the ass...

4.2CVSS5.9AI score0.00243EPSS
CVE
CVE
added 5 days ago32 views

CVE-2026-54433

CVE-2026-54433 affects Roundcube Webmail prior to 1.6.17 and 1.7.x prior to 1.7.2. It is a Stored XSS vulnerability that allows attacker-controlled JavaScript to execute within the victim’s authenticated session simply by opening or previewing a crafted plain-text email (zero-click). Fedora advis...

10CVSS6.1AI score0.00311EPSS
CVE
CVE
added 2026/04/03 4:2 a.m.30 views

CVE-2026-35545

The CVE-2026-35545 vulnerability affects Roundcube Webmail prior to 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed by SVG content in emails via animate element with attributeName=fill, filter, or stroke, enabling information disclosure or access-control bypass. Fedora/Debian...

8.2CVSS5.9AI score0.00329EPSS
CVE
CVE
added 2026/04/03 3:47 a.m.29 views

CVE-2026-35540

Summary: CVE-2026-35540 affects Roundcube Webmail 1.6.0 through before 1.6.14. The issue is insufficient CSS sanitization in HTML e‑mail messages, which may allow SSRF or Information Disclosure when stylesheet links resolve to local network hosts. What’s affected: Roundcube Webmail (version linea...

6.5CVSS5.9AI score0.0031EPSS
CVE
CVE
added 2026/04/03 3:35 a.m.27 views

CVE-2026-35538

This CVE affects Roundcube Webmail prior to 1.5.14 and prior to 1.6.14. The issue is unsanitized IMAP SEARCH arguments that can lead to IMAP injection or CSRF bypass during mail search. The connected sources indicate fixed releases: Roundcube 1.5.14 and 1.6.14 (and related security updates), so u...

3.1CVSS5.9AI score0.00283EPSS
CVE
CVE
added 2026/04/03 3:59 a.m.23 views

CVE-2026-35544

CVE-2026-35544 affects Roundcube Webmail before 1.5.14 and 1.6.14. The issue is insufficient CSS sanitization in HTML emails, which may allow a fixed-position mitigation bypass via the use of !important. CVSS v3.1 base score 5.3 (Network, Low complexity, No privileges, No user interaction). The d...

5.3CVSS5.9AI score0.00366EPSS
CVE
CVE
added 2026/04/03 3:57 a.m.22 views

CVE-2026-35543

The CVE affects Roundcube Webmail versions before 1.5.14 and 1.6.14. The issue allows bypassing the remote image blocking feature via SVG content (with animate attributes) in an e-mail message, which can lead to information disclosure or an access-control bypass. Remediation details documented in...

5.3CVSS5.9AI score0.00402EPSS
CVE
CVE
added 2026/04/03 3:39 a.m.19 views

CVE-2026-35539

CVE-2026-35539 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The issue is an XSS vulnerability caused by insufficient HTML attachment sanitization in preview mode; a user must preview a text/html attachment for exploitation. The vulnerability is limited to scenarios where a victim preview...

6.1CVSS5.9AI score0.00251EPSS
CVE
CVE
added 2026/04/03 3:54 a.m.16 views

CVE-2026-35542

CVE-2026-35542 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed by a crafted background attribute of a BODY element in an email, potentially leading to information disclosure or an access-control bypass. No exploitation details are provided i...

5.3CVSS5.9AI score0.00402EPSS
Total number of security vulnerabilities81