Roundcube

Known Exploited Roundcube Vulnerabilities

The following Roundcube vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 6 known exploited Roundcube vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 2 vulnerabilities in Roundcube with an average score of 4.5 out of ten. Last year, in 2025 Roundcube had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Roundcube in 2026 could surpass last years number. Last year, the average CVE base score was greater by 3.60

Recent Roundcube Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-26079	Feb 11, 2026	Roundcube Webmail CSS Injection v1.5.13/1.6.13 (CVE-2026-26079) Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.	Webmail Roundcube
CVE-2026-25916	Feb 09, 2026	Roundcube <1.5.13/1.6.13 fails to block SVG feImage when Block remote images enabled Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.	Webmail
CVE-2025-68461	Dec 18, 2025	CVE-2025-68461 XSS via SVG animate tag in Roundcube Webmail <1.5.12 / <1.6.12 Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.	Webmail
CVE-2025-68460	Dec 18, 2025	Roundcube Webmail 1.5.12 & 1.6.12 info disclosure via HTML style sanitizer Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.	Webmail
CVE-2025-49113	Jun 02, 2025	RCE in Roundcube <1.6.11 via Unvalidated _from Param (PHP OD) Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.	Roundcube Webmail
CVE-2024-57004	Feb 03, 2025	XSS via Attachment Upload in Roundcube Webmail 1.6.9 Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.	Webmail
CVE-2024-42008	Aug 05, 2024	XSS in Roundcube 1.5.7/1.6.7 rcmail_action_mail_get A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.	Webmail
CVE-2024-42009	Aug 05, 2024	XSS via message_body desanitization in Roundcube <=1.6.7 (CVE-2024-42009) A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.	Webmail Roundcube
CVE-2024-37383	Jun 07, 2024	Roundcube Webmail XSS via SVG animate (<=1.5.6/1.6.6) Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.	Webmail
CVE-2024-37385	Jun 07, 2024	Roundcube <=1.5.7 & 1.6.x <=1.6.7 CmdInject via im_convert/im_identify Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.	Webmail