CVE Daily
← All tags

Tag: Roundcube Webmail

All CVEs associated with "Roundcube Webmail". Page 1/1 • 105 CVEs.

About “Roundcube Webmail”

A curated feed of “Roundcube Webmail”-related CVEs appears below. We currently track 105 CVEs for this tag (all time). In the last 365 days, 22 were published. Average CVSS is 6.2 (all time; 5.6 over 365d), and 30% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-669 - Incorrect Resource Transfer Between Spheres, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-184 - Incomplete List of Disallowed Inputs.

In our taxonomy this topic maps to a MODERATE impact class. Mail servers and webmail risk credential theft and data exposure. Patch MTA or IMAP, enforce TLS and auth, lock down admin consoles, and validate anti spam or AV. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: roundcube

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
1.71.7.1Unavailable-
1.61.6.16-LTS
1.51.5.15 ExpiredLTS
1.41.4.16Unavailable Expired
1.31.3.17Unavailable Expired
1.21.2.13Unavailable Expired
1.11.1.12Unavailable- Expired
1.01.0.12Unavailable- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Roundcube Webmail”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-28
Medium

CVE-2026-9818

Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML…

CVSS: 4.7 CWE: CWE-184 - Incomplete List of Disallowed Inputs View on NVD
2026-05-25
Medium

CVE-2026-48849

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2026-48848

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2026-48847

Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

CVSS: 3.7 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
Medium

CVE-2026-48846

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information di…

CVSS: 6.5 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
Medium

CVE-2026-48845

In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information discl…

CVSS: 6.5 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
High

CVE-2026-48844

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been…

CVSS: 7.5 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
High

CVE-2026-48843

Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure,…

CVSS: 7.2 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2026-48842

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2026-04-03
Medium

CVE-2026-35545

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure…

CVSS: 5.3 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
Medium

CVE-2026-35544

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass vi…

CVSS: 5.3 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
Medium

CVE-2026-35543

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead…

CVSS: 5.3 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
Medium

CVE-2026-35542

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. Thi…

CVSS: 5.3 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
Medium

CVE-2026-35541

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing…

CVSS: 4.2 CWE: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion') View on NVD
Medium

CVE-2026-35540

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if s…

CVSS: 5.4 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
Medium

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

CVSS: 3.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
Low

CVE-2026-35537

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated atta…

CVSS: 3.7 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2026-02-11
Medium

CVE-2026-26079

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

CVSS: 4.7 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
2026-02-09
Medium

CVE-2026-25916

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

CVSS: 4.3 CWE: CWE-420 - Unprotected Alternate Channel View on NVD
2025-12-18
High

CVE-2025-68461

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-68460

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.

CVSS: 7.2 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
2025-06-02
Critical

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.ph…

CVSS: 9.9 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-02-03
Medium

CVE-2024-57004

Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiti…

CVSS: 6.1 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
2024-08-05
High

CVE-2024-42010

mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2024-42009

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desani…

CVSS: 9.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2024-42008

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious…

CVSS: 9.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-06-07
Critical

CVE-2024-37385

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-1…

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2024-37384

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-37383

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-11-06
Medium

CVE-2023-47272

Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-10-18
Medium

CVE-2023-5631

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavio…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-09-22
Medium

CVE-2023-43770

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-09-04
High

CVE-2023-3222

Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6…

CVSS: 7.5 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
Medium

CVE-2023-3221

User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate a…

CVSS: 5.3 CWE: CWE-204 - Observable Response Discrepancy View on NVD
2022-04-26
Medium

CVE-2022-28218

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2022-01-06
Medium

CVE-2021-46144

Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-11-19
Critical

CVE-2021-44026

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2021-44025

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-06-24
Medium

CVE-2020-18671

Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-18670

Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-02-09
Medium

CVE-2021-26925

Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-12-28
Medium

CVE-2020-35730

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference el…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-08-12
Medium

CVE-2020-16145

Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-07-06
Medium

CVE-2020-15562

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in th…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-06-09
Medium

CVE-2020-13965

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-13964

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-05-04
Critical

CVE-2020-12641

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2020-12640

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2020-12626

An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2020-12625

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-08-20
High

CVE-2019-15237

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

CVSS: 7.4 CWE: N/A View on NVD
2019-08-05
Medium

CVE-2016-10770

cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2019-08-02
Medium

CVE-2017-18450

cPanel before 64.0.21 allows certain file-chmod operations via /scripts/convert_roundcube_mysql2sqlite (SEC-255).

CVSS: 4.5 CWE: CWE-264 View on NVD
Medium

CVE-2017-18449

cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2017-18416

cPanel before 67.9999.103 allows arbitrary file-overwrite operations during a Roundcube SQLite schema update (SEC-303).

CVSS: 5.5 CWE: CWE-284 - Improper Access Control View on NVD
2019-08-01
High

CVE-2016-10846

cPanel before 11.54.0.4 allows arbitrary file-chown and file-chmod operations during Roundcube database conversions (SEC-79).

CVSS: 8.1 CWE: CWE-275 View on NVD
2019-06-24
Medium

CVE-2019-12938

The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Attackers can read logs vi…

CVSS: 4.3 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2019-04-07
Medium

CVE-2019-10740

In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidde…

CVSS: 4.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2018-11-12
Medium

CVE-2018-19206

steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2018-19205

Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated w…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-09-09
Medium

CVE-2018-16736

In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings).

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-04-07
High

CVE-2018-9846

In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mb…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2018-03-13
High

CVE-2018-1000072

iRedMail version prior to commit f04b8ef contains a Insecure Permissions vulnerability in Roundcube Webmail that can result in Exfiltrate a user's password protected secret GPG key file and other imp…

CVSS: 7.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2018-1000071

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via networ…

CVSS: 7.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-11-09
High

CVE-2017-16651

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the…

CVSS: 7.8 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2017-05-23
High

CVE-2015-5383

Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2015-5382

program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2015-5381

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter t…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2017-04-29
High

CVE-2017-8114

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly rest…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2017-04-13
Medium

CVE-2016-4068

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnera…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2015-8864

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnera…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2017-03-12
Medium

CVE-2017-6820

rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2017-01-30
High

CVE-2015-2181

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.

CVSS: 8.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
High

CVE-2015-2180

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.

CVSS: 8.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2016-12-20
Medium

CVE-2016-4552

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2016-12-08
High

CVE-2016-9920

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
2016-08-25
High

CVE-2016-4069

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a deni…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2016-01-29
Medium

CVE-2015-8794

Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full path…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2015-8793

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox pa…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2015-8770

Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain pe…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2015-11-10
Low

CVE-2015-8105

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2015-02-03
Medium

CVE-2015-1433

program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2015-01-15
Medium

CVE-2014-9587

Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2014-02-08
Medium

CVE-2013-1904

Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _v…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2013-11-05
High

CVE-2013-6172

steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2013-08-29
Low

CVE-2013-5646

Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2013-5645

Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2013-02-24
Medium

CVE-2012-6121

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2012-08-25
Medium

CVE-2012-4668

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2012-3508

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribu…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2012-3507

Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML vi…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2012-06-04
Low

CVE-2012-1253

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embed…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2011-11-03
Medium

CVE-2011-4078

include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resou…

CVSS: 5.0 CWE: CWE-399 View on NVD
2011-09-21
Medium

CVE-2011-2937

Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to t…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2011-04-08
Medium

CVE-2011-1492

steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote au…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2011-1491

The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensit…

CVSS: 3.5 CWE: CWE-20 - Improper Input Validation View on NVD
2010-01-29
Medium

CVE-2010-0464

Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the netwo…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2009-11-25
Medium

CVE-2009-4077

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary email…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2009-4076

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user informat…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2009-02-03
Medium

CVE-2009-0413

Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTM…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-12-17
High

CVE-2008-5620

RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted size parameters that are used to create a large quota image.

CVSS: 7.8 CWE: CWE-399 View on NVD
Critical

CVE-2008-5619

html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attack…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2007-12-12
Medium

CVE-2007-6321

Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML vi…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2005-12-20
Medium

CVE-2005-4368

roundcube webmail Alpha, with a default high verbose level ($rcmail_config['debug_level'] = 1), allows remote attackers to obtain the full path of the application via an invalid_task parameter, which…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox