Search CVE reports


Toggle filters

1 – 10 of 103 results


CVE-2026-54433

Medium priority
Needs evaluation

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim's authenticated session...

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-54432

Medium priority
Needs evaluation

Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-62644

Medium priority
Needs evaluation

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-62643

Medium priority
Needs evaluation

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network...

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-62642

Medium priority
Needs evaluation

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-62641

Medium priority
Needs evaluation

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the TNEF decoder was subject to denial of service via a crafted compressed-RTF size.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-48849

Medium priority
Needs evaluation

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-48848

Medium priority
Needs evaluation

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-48847

Medium priority
Needs evaluation

Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-48846

Medium priority
Needs evaluation

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.

1 affected package

roundcube

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
roundcube Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages