Filtered by vendor Roundcube
Subscribe
Total
83 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16651 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2026-04-21 | 4.6 MEDIUM | 7.8 HIGH |
| Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. | |||||
| CVE-2005-4368 | 1 Roundcube | 1 Webmail | 2026-04-16 | 5.0 MEDIUM | N/A |
| roundcube webmail Alpha, with a default high verbose level ($rcmail_config['debug_level'] = 1), allows remote attackers to obtain the full path of the application via an invalid_task parameter, which leaks the path in an error message. | |||||
| CVE-2026-35537 | 1 Roundcube | 1 Webmail | 2026-04-13 | N/A | 3.7 LOW |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data. | |||||
| CVE-2026-35544 | 1 Roundcube | 1 Webmail | 2026-04-09 | N/A | 5.3 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important. | |||||
| CVE-2026-35538 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 3.1 LOW |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search. | |||||
| CVE-2026-35539 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 6.1 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment. | |||||
| CVE-2026-35540 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 5.4 MEDIUM |
| An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. | |||||
| CVE-2026-35541 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 4.2 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password. | |||||
| CVE-2026-35542 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 5.3 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass. | |||||
| CVE-2026-35543 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 5.3 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass. | |||||
| CVE-2026-35545 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 5.3 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke. | |||||
| CVE-2025-49113 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2026-02-23 | N/A | 9.9 CRITICAL |
| Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | |||||
| CVE-2025-68461 | 1 Roundcube | 1 Webmail | 2026-02-23 | N/A | 7.2 HIGH |
| Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | |||||
| CVE-2024-37385 | 2 Microsoft, Roundcube | 2 Windows, Webmail | 2026-02-06 | N/A | 9.8 CRITICAL |
| Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. | |||||
| CVE-2025-68460 | 1 Roundcube | 1 Webmail | 2026-01-02 | N/A | 7.2 HIGH |
| Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. | |||||
| CVE-2024-57004 | 1 Roundcube | 1 Webmail | 2025-12-22 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session. | |||||
| CVE-2024-42009 | 1 Roundcube | 1 Webmail | 2025-11-04 | N/A | 9.3 CRITICAL |
| A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | |||||
| CVE-2020-12641 | 2 Opensuse, Roundcube | 3 Backports Sle, Leap, Webmail | 2025-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | |||||
| CVE-2020-13965 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2025-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. | |||||
| CVE-2020-35730 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2025-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | |||||