32 matches found
CVE-2020-35730
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability in rcube_string_replacer.php (linkref_addindex). An attacker can embed JavaScript in a plain-text email link reference, leading to script execution in the victim’s browser. Affected: Roundcube <1.2.13, <1.3.16 for 1.3.x, ...
CVE-2021-44026
CVE-2021-44026 concerns Roundcube Webmail, where versions prior to 1.3.17 and 1.4.x prior to 1.4.12 are vulnerable to SQL injection via search or search_params. The issue is documented in multiple advisories and CVE trackers, with Debian and Fedora indicating fixes in 1.2.3+dfsg.1-4+deb9u9 / 1.4....
CVE-2025-49113
CVE-2025-49113 affects Roundcube Webmail (Roundscube core) with PHP Object Deserialization via the unvalidated _from parameter in actions/settings/upload.php. The issue allows remote code execution by an authenticated user. Public advisories confirm RCE implications and that patches were released...
CVE-2023-5631
CVE-2023-5631 affects Roundcube Webmail. The issue is a stored XSS via an HTML e-mail message containing a crafted SVG, caused by logic in Roundcube’s rcube_washtml.php. Affected versions are Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4. Successful exploitation could allow ...
CVE-2024-42009
CVE-2024-42009 is a high-severity (CRITICAL) Cross-Site Scripting vulnerability in RoundCube Webmail (affected: up to 1.5.7 and 1.6.x up to 1.6.7) allowing a remote attacker to steal/send a victim’s emails via a crafted message that abuses a desanitization issue in message_body() of program/actio...
CVE-2025-68461
CVE-2025-68461 affects Roundcube Webmail: cross-site scripting via the animate element in an SVG document, impacting Roundcube Webmail < 1.6.12 and
CVE-2023-43770
Roundcube Webmail vulnerability CVE-2023-43770 is a cross-site scripting (XSS) issue in Roundcube prior to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3. The root cause is behavior in program/lib/Roundcube/rcube_string_replacer.php that allows XSS via crafted links in text/plain emails, ...
CVE-2020-13965
CVE-2020-13965 concerns Roundcube Webmail prior to 1.3.12 and prior to 1.4.5, where an XSS can be triggered via a malicious XML attachment because text/xml is among allowed preview types. The vulnerability affects Roundcube Webmail versions before these fixed releases; remediation is to upgrade t...
CVE-2020-12625
CVE-2020-12625 concerns Roundcube Webmail up to version 1.4.3, with a cross-site scripting (XSS) vulnerability in rcube_washtml.php that allows JavaScript in HTML message CDATA to be executed. Public advisories (e.g., Ubuntu USN-5182-1, Debian DSA-4674-1, openSUSE openSUSE-2020-1516) confirm the ...
CVE-2020-15562
CVE-2020-15562 affects Roundcube Webmail and enables cross-site scripting (XSS) via a crafted HTML e-mail that uses the xmlns attribute of a HEAD element when an SVG is present. Affected releases include Roundcube Webmail < 1.2.11, 1.3.x < 1.3.14, and 1.4.x
CVE-2020-16145
CVE-2020-16145 affects Roundcube Webmail prior to 1.3.15 and 1.4.8, where a crafted SVG in HTML messages can trigger stored XSS during display. Advisories confirm fixes in 1.3.15 and 1.4.8; remediation is to upgrade to these versions or newer. Occurrence details are supported by OpenSUSE/Tenable/...
CVE-2024-37383
CVE-2024-37383 affects Roundcube Webmail: an XSS caused by improper handling of SVG animate attributes in messages. Affected versions are Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7. Public details include a stored XSS instance reported for Roundcube 1.6.6 (Exploit-DB). Debian advisorie...
CVE-2019-10740
CVE-2019-10740 affects Roundcube Webmail prior to 1.3.10: an attacker who has access to S/MIME or PGP encrypted emails can wrap the encrypted parts into sub-parts of a crafted multipart message. The attacker can hide these parts using HTML/CSS or ASCII newlines and resend the modified multipart e...
CVE-2024-37385
Affected software: Roundcube Webmail on Windows. Vulnerability: command injection in im_convert_path and im_identify_path present in Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7, due to an incomplete fix for CVE-2020-12641. Impact (per CVSS): high confidentiality, integrity, and availabi...
CVE-2024-42008
CVE-2024-42008 is a Cross‑Site Scripting flaw in Roundcube’s rcmail_action_mail_get->run() that affects Roundcube < = 1.5.7 and 1.6.x
CVE-2020-12626
Roundcube Webmail (Roundcube Webmail) CVE-2020-12626 is a CSRF vulnerability where an attacker can cause an authenticated user to be logged out by abusing POST requests. The issue arises from incorrect handling of login/logout POSTs and is documented across multiple connected sources, including D...
CVE-2017-8114
CVE-2017-8114: Roundcube Webmail vulnerability where authenticated users can arbitrarily reset passwords due to an improperly restricted exec call in the password plugin’s virtualmin and sasl drivers. Affected: <1.0.11, 1.1.x <1.1.9, 1.2.x
CVE-2021-44025
Roundcube webmail vulnerability CVE-2021-44025 (XSS) and CVE-2021-44026 (SQL injection) affect Roundcube before 1.3.17 and 1.4.x before 1.4.12. The XSS is triggered by handling an attachment filename extension in a MIME type warning message; the SQLi affects search/search_params handling. Publicl...
CVE-2018-19206
CVE-2018-19206 affects Roundcube Webmail: a cross‑site scripting vulnerability in how HTML attachments are parsed, via crafted content that can execute when an onload attribute is used in a BODY tag. Affected are Roundcube versions before 1.3.8 (and, per Debian advisories, prior patches and rela...
CVE-2020-13964
CVE-2020-13964 affects Roundcube Webmail prior to 1.3.12 and prior to 1.4.5 for 1.4.x; the issue is an HTML/XSS risk in include/rcmail_output_html.php via the username template object. Patches are released: Roundcube 1.3.12 and 1.4.5 (and 1.4.6 in some advisories). Remediation is to upgrade to th...
CVE-2024-37384
CVE-2024-37384 affects Roundcube Webmail: versions before 1.5.7 and 1.6.x before 1.6.7 are vulnerable. The issue allows Cross-Site Scripting via list columns from user preferences. The connected documents include Debian/Ubuntu/Nessus and OpenVAS advisories that corroborate the vulnerability and i...
CVE-2018-19205
CVE-2018-19205 affects Roundcube before 1.3.7, where processing of GnuPG MDC integrity-protection warnings in the Enigma driver (plugins/enigma/lib/enigma_driver_gnupg.php) can leak sensitive information. The issue is tied to a related CVE-2017-17688 and is mitigated by updating Roundcube to vers...
CVE-2021-26925
CVE-2021-26925 affects Roundcube Webmail prior to 1.4.11, enabling cross-site scripting via crafted CSS token sequences while rendering HTML emails. Public advisories (Mageia/Fedora) confirm the fix in 1.4.11. Remediate by upgrading Roundcube to 1.4.11 or newer; exploitation status is not describ...
CVE-2015-2181
CVE-2015-2181 affects Roundcube including the Password plugin DBMail driver. The vulnerability is a buffer overflow in the DBMail driver that exists in Roundcube before version 1.1.0 and could allow remote attackers to cause unspecified impact via the password or username fields. The connected do...
CVE-2025-68460
Roundcube Webmail is vulnerable to information disclosure in the HTML style sanitizer for releases before 1.5.12 and 1.6.x before 1.6.12. Multiple advisories (Debian DSA-6087, DLA-4415-1; Fedora packages roundcubemail 1.6.12; EUVD-2025-204036; NVD entry CVE-2025-68460) confirm the issue and point...
CVE-2026-35537
The CVE-2026-35537 vulnerability affects Roundcube Webmail prior to 1.5.14 and 1.6.14, where unsafe deserialization in the redis/memcache session handler can allow unauthenticated attackers to perform arbitrary file writes via crafted session data. Several advisories confirm this issue and refere...
CVE-2026-35545
The CVE-2026-35545 vulnerability affects Roundcube Webmail prior to 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed by SVG content in emails via animate element with attributeName=fill, filter, or stroke, enabling information disclosure or access-control bypass. Fedora/Debian...
CVE-2026-35538
This CVE affects Roundcube Webmail prior to 1.5.14 and prior to 1.6.14. The issue is unsanitized IMAP SEARCH arguments that can lead to IMAP injection or CSRF bypass during mail search. The connected sources indicate fixed releases: Roundcube 1.5.14 and 1.6.14 (and related security updates), so u...
CVE-2026-35541
Roundcube Webmail is affected in versions prior to 1.5.14 and 1.6.14 due to an incorrect password comparison in the password plugin, which can cause a type confusion and allow changing a password without the old one. Mitigation: upgrade to the patched releases (1.5.14 or 1.6.14); refer to the ass...
CVE-2026-35543
The CVE affects Roundcube Webmail versions before 1.5.14 and 1.6.14. The issue allows bypassing the remote image blocking feature via SVG content (with animate attributes) in an e-mail message, which can lead to information disclosure or an access-control bypass. Remediation details documented in...
CVE-2026-35539
CVE-2026-35539 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The issue is an XSS vulnerability caused by insufficient HTML attachment sanitization in preview mode; a user must preview a text/html attachment for exploitation. The vulnerability is limited to scenarios where a victim preview...
CVE-2026-35542
CVE-2026-35542 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed by a crafted background attribute of a BODY element in an email, potentially leading to information disclosure or an access-control bypass. No exploitation details are provided i...