Lucene search
K

32 matches found

CVE
CVE
added 2020/12/28 7:37 p.m.730 views

CVE-2020-35730

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability in rcube_string_replacer.php (linkref_addindex). An attacker can embed JavaScript in a plain-text email link reference, leading to script execution in the victim’s browser. Affected: Roundcube <1.2.13, <1.3.16 for 1.3.x, ...

6.1CVSS6.1AI score0.32823EPSS
In wild
CVE
CVE
added 2021/11/19 3:47 a.m.693 views

CVE-2021-44026

CVE-2021-44026 concerns Roundcube Webmail, where versions prior to 1.3.17 and 1.4.x prior to 1.4.12 are vulnerable to SQL injection via search or search_params. The issue is documented in multiple advisories and CVE trackers, with Debian and Fedora indicating fixes in 1.2.3+dfsg.1-4+deb9u9 / 1.4....

9.8CVSS9.6AI score0.42751EPSS
In wild
CVE
CVE
added 2025/06/02 12:0 a.m.616 views

CVE-2025-49113

CVE-2025-49113 affects Roundcube Webmail (Roundscube core) with PHP Object Deserialization via the unvalidated _from parameter in actions/settings/upload.php. The issue allows remote code execution by an authenticated user. Public advisories confirm RCE implications and that patches were released...

9.9CVSS8AI score0.89462EPSS
In wildWeb
CVE
CVE
added 2023/10/18 2:51 p.m.487 views

CVE-2023-5631

CVE-2023-5631 affects Roundcube Webmail. The issue is a stored XSS via an HTML e-mail message containing a crafted SVG, caused by logic in Roundcube’s rcube_washtml.php. Affected versions are Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4. Successful exploitation could allow ...

6.1CVSS5.7AI score0.73445EPSS
In wild
CVE
CVE
added 2024/08/05 12:0 a.m.317 views

CVE-2024-42009

CVE-2024-42009 is a high-severity (CRITICAL) Cross-Site Scripting vulnerability in RoundCube Webmail (affected: up to 1.5.7 and 1.6.x up to 1.6.7) allowing a remote attacker to steal/send a victim’s emails via a crafted message that abuses a desanitization issue in message_body() of program/actio...

9.3CVSS6AI score0.82853EPSS
In wildWeb
CVE
CVE
added 2025/12/18 5:0 a.m.264 views

CVE-2025-68461

CVE-2025-68461 affects Roundcube Webmail: cross-site scripting via the animate element in an SVG document, impacting Roundcube Webmail < 1.6.12 and

7.2CVSS6.1AI score0.19769EPSS
In wild
CVE
CVE
added 2023/09/22 12:0 a.m.245 views

CVE-2023-43770

Roundcube Webmail vulnerability CVE-2023-43770 is a cross-site scripting (XSS) issue in Roundcube prior to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3. The root cause is behavior in program/lib/Roundcube/rcube_string_replacer.php that allows XSS via crafted links in text/plain emails, ...

6.1CVSS5.8AI score0.58483EPSS
In wild
CVE
CVE
added 2020/06/09 2:45 a.m.223 views

CVE-2020-13965

CVE-2020-13965 concerns Roundcube Webmail prior to 1.3.12 and prior to 1.4.5, where an XSS can be triggered via a malicious XML attachment because text/xml is among allowed preview types. The vulnerability affects Roundcube Webmail versions before these fixed releases; remediation is to upgrade t...

6.3CVSS7AI score0.76596EPSS
In wildWeb
CVE
CVE
added 2020/05/04 1:57 a.m.213 views

CVE-2020-12625

CVE-2020-12625 concerns Roundcube Webmail up to version 1.4.3, with a cross-site scripting (XSS) vulnerability in rcube_washtml.php that allows JavaScript in HTML message CDATA to be executed. Public advisories (e.g., Ubuntu USN-5182-1, Debian DSA-4674-1, openSUSE openSUSE-2020-1516) confirm the ...

6.1CVSS5.8AI score0.02782EPSS
CVE
CVE
added 2020/07/06 11:26 a.m.190 views

CVE-2020-15562

CVE-2020-15562 affects Roundcube Webmail and enables cross-site scripting (XSS) via a crafted HTML e-mail that uses the xmlns attribute of a HEAD element when an SVG is present. Affected releases include Roundcube Webmail < 1.2.11, 1.3.x < 1.3.14, and 1.4.x

6.1CVSS5.7AI score0.02073EPSS
CVE
CVE
added 2020/08/12 12:29 p.m.182 views

CVE-2020-16145

CVE-2020-16145 affects Roundcube Webmail prior to 1.3.15 and 1.4.8, where a crafted SVG in HTML messages can trigger stored XSS during display. Advisories confirm fixes in 1.3.15 and 1.4.8; remediation is to upgrade to these versions or newer. Occurrence details are supported by OpenSUSE/Tenable/...

6.1CVSS5.7AI score0.01945EPSS
CVE
CVE
added 2024/06/07 12:0 a.m.174 views

CVE-2024-37383

CVE-2024-37383 affects Roundcube Webmail: an XSS caused by improper handling of SVG animate attributes in messages. Affected versions are Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7. Public details include a stored XSS instance reported for Roundcube 1.6.6 (Exploit-DB). Debian advisorie...

6.1CVSS6.1AI score0.73296EPSS
In wild
CVE
CVE
added 2019/04/07 2:36 p.m.164 views

CVE-2019-10740

CVE-2019-10740 affects Roundcube Webmail prior to 1.3.10: an attacker who has access to S/MIME or PGP encrypted emails can wrap the encrypted parts into sub-parts of a crafted multipart message. The attacker can hide these parts using HTML/CSS or ASCII newlines and resend the modified multipart e...

4.3CVSS5.3AI score0.00771EPSS
CVE
CVE
added 2024/06/07 3:24 a.m.151 views

CVE-2024-37385

Affected software: Roundcube Webmail on Windows. Vulnerability: command injection in im_convert_path and im_identify_path present in Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7, due to an incomplete fix for CVE-2020-12641. Impact (per CVSS): high confidentiality, integrity, and availabi...

9.8CVSS9.8AI score0.01477EPSS
CVE
CVE
added 2024/08/05 12:0 a.m.147 views

CVE-2024-42008

CVE-2024-42008 is a Cross‑Site Scripting flaw in Roundcube’s rcmail_action_mail_get->run() that affects Roundcube < = 1.5.7 and 1.6.x

9.3CVSS6.1AI score0.32265EPSS
Web
CVE
CVE
added 2020/05/04 1:57 a.m.118 views

CVE-2020-12626

Roundcube Webmail (Roundcube Webmail) CVE-2020-12626 is a CSRF vulnerability where an attacker can cause an authenticated user to be logged out by abusing POST requests. The issue arises from incorrect handling of login/logout POSTs and is documented across multiple connected sources, including D...

6.5CVSS6.3AI score0.01831EPSS
CVE
CVE
added 2017/04/29 7:0 p.m.117 views

CVE-2017-8114

CVE-2017-8114: Roundcube Webmail vulnerability where authenticated users can arbitrarily reset passwords due to an improperly restricted exec call in the password plugin’s virtualmin and sasl drivers. Affected: <1.0.11, 1.1.x <1.1.9, 1.2.x

8.8CVSS8.5AI score0.03471EPSS
CVE
CVE
added 2021/11/19 3:47 a.m.112 views

CVE-2021-44025

Roundcube webmail vulnerability CVE-2021-44025 (XSS) and CVE-2021-44026 (SQL injection) affect Roundcube before 1.3.17 and 1.4.x before 1.4.12. The XSS is triggered by handling an attachment filename extension in a MIME type warning message; the SQLi affects search/search_params handling. Publicl...

6.1CVSS7.2AI score0.01047EPSS
CVE
CVE
added 2018/11/12 5:0 p.m.108 views

CVE-2018-19206

CVE-2018-19206 affects Roundcube Webmail: a cross‑site scripting vulnerability in how HTML attachments are parsed, via crafted content that can execute when an onload attribute is used in a BODY tag. Affected are Roundcube versions before 1.3.8 (and, per Debian advisories, prior patches and rela...

6.1CVSS5.7AI score0.60162EPSS
Web
CVE
CVE
added 2020/06/09 2:45 a.m.97 views

CVE-2020-13964

CVE-2020-13964 affects Roundcube Webmail prior to 1.3.12 and prior to 1.4.5 for 1.4.x; the issue is an HTML/XSS risk in include/rcmail_output_html.php via the username template object. Patches are released: Roundcube 1.3.12 and 1.4.5 (and 1.4.6 in some advisories). Remediation is to upgrade to th...

6.1CVSS7.1AI score0.01038EPSS
CVE
CVE
added 2024/06/07 12:0 a.m.86 views

CVE-2024-37384

CVE-2024-37384 affects Roundcube Webmail: versions before 1.5.7 and 1.6.x before 1.6.7 are vulnerable. The issue allows Cross-Site Scripting via list columns from user preferences. The connected documents include Debian/Ubuntu/Nessus and OpenVAS advisories that corroborate the vulnerability and i...

6.1CVSS6.1AI score0.00498EPSS
CVE
CVE
added 2018/11/12 5:0 p.m.78 views

CVE-2018-19205

CVE-2018-19205 affects Roundcube before 1.3.7, where processing of GnuPG MDC integrity-protection warnings in the Enigma driver (plugins/enigma/lib/enigma_driver_gnupg.php) can leak sensitive information. The issue is tied to a related CVE-2017-17688 and is mitigated by updating Roundcube to vers...

7.5CVSS5.7AI score0.016EPSS
CVE
CVE
added 2021/02/09 8:53 a.m.78 views

CVE-2021-26925

CVE-2021-26925 affects Roundcube Webmail prior to 1.4.11, enabling cross-site scripting via crafted CSS token sequences while rendering HTML emails. Public advisories (Mageia/Fedora) confirm the fix in 1.4.11. Remediate by upgrading Roundcube to 1.4.11 or newer; exploitation status is not describ...

5.4CVSS5AI score0.01006EPSS
CVE
CVE
added 2017/01/30 10:0 p.m.69 views

CVE-2015-2181

CVE-2015-2181 affects Roundcube including the Password plugin DBMail driver. The vulnerability is a buffer overflow in the DBMail driver that exists in Roundcube before version 1.1.0 and could allow remote attackers to cause unspecified impact via the password or username fields. The connected do...

8.8CVSS8.9AI score0.02867EPSS
CVE
CVE
added 2025/12/18 4:54 a.m.30 views

CVE-2025-68460

Roundcube Webmail is vulnerable to information disclosure in the HTML style sanitizer for releases before 1.5.12 and 1.6.x before 1.6.12. Multiple advisories (Debian DSA-6087, DLA-4415-1; Fedora packages roundcubemail 1.6.12; EUVD-2025-204036; NVD entry CVE-2025-68460) confirm the issue and point...

7.5CVSS5.8AI score0.00244EPSS
CVE
CVE
added 2026/04/03 3:28 a.m.27 views

CVE-2026-35537

The CVE-2026-35537 vulnerability affects Roundcube Webmail prior to 1.5.14 and 1.6.14, where unsafe deserialization in the redis/memcache session handler can allow unauthenticated attackers to perform arbitrary file writes via crafted session data. Several advisories confirm this issue and refere...

7.5CVSS6AI score0.00475EPSS
CVE
CVE
added 2026/04/03 4:2 a.m.22 views

CVE-2026-35545

The CVE-2026-35545 vulnerability affects Roundcube Webmail prior to 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed by SVG content in emails via animate element with attributeName=fill, filter, or stroke, enabling information disclosure or access-control bypass. Fedora/Debian...

8.2CVSS5.9AI score0.00329EPSS
CVE
CVE
added 2026/04/03 3:35 a.m.21 views

CVE-2026-35538

This CVE affects Roundcube Webmail prior to 1.5.14 and prior to 1.6.14. The issue is unsanitized IMAP SEARCH arguments that can lead to IMAP injection or CSRF bypass during mail search. The connected sources indicate fixed releases: Roundcube 1.5.14 and 1.6.14 (and related security updates), so u...

3.1CVSS5.9AI score0.00283EPSS
CVE
CVE
added 2026/04/03 3:50 a.m.21 views

CVE-2026-35541

Roundcube Webmail is affected in versions prior to 1.5.14 and 1.6.14 due to an incorrect password comparison in the password plugin, which can cause a type confusion and allow changing a password without the old one. Mitigation: upgrade to the patched releases (1.5.14 or 1.6.14); refer to the ass...

4.2CVSS5.9AI score0.00243EPSS
CVE
CVE
added 2026/04/03 3:57 a.m.15 views

CVE-2026-35543

The CVE affects Roundcube Webmail versions before 1.5.14 and 1.6.14. The issue allows bypassing the remote image blocking feature via SVG content (with animate attributes) in an e-mail message, which can lead to information disclosure or an access-control bypass. Remediation details documented in...

5.3CVSS5.9AI score0.00402EPSS
CVE
CVE
added 2026/04/03 3:39 a.m.12 views

CVE-2026-35539

CVE-2026-35539 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The issue is an XSS vulnerability caused by insufficient HTML attachment sanitization in preview mode; a user must preview a text/html attachment for exploitation. The vulnerability is limited to scenarios where a victim preview...

6.1CVSS5.9AI score0.00251EPSS
CVE
CVE
added 2026/04/03 3:54 a.m.11 views

CVE-2026-35542

CVE-2026-35542 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed by a crafted background attribute of a BODY element in an email, potentially leading to information disclosure or an access-control bypass. No exploitation details are provided i...

5.3CVSS5.9AI score0.00402EPSS