Roundcube Roundcube

  1. Vendors
  2. Roundcube

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Roundcube product.

RSS Feeds for Roundcube security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Roundcube products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Roundcube Sorted by Most Security Vulnerabilities since 2018

Roundcube Webmail32 vulnerabilities

Roundcube10 vulnerabilities

Known Exploited Roundcube Vulnerabilities

The following Roundcube vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
RoundCube Webmail Cross-Site Scripting Vulnerability RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
CVE-2024-42009 Exploit Probability: 90.7% 		June 9, 2025
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.
CVE-2024-37383 Exploit Probability: 68.9% 		October 24, 2024
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.
CVE-2020-13965 Exploit Probability: 82.7% 		June 26, 2024
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.
CVE-2023-43770 Exploit Probability: 71.0% 		February 12, 2024
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.
CVE-2023-5631 Exploit Probability: 84.4% 		October 26, 2023
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
CVE-2020-35730 Exploit Probability: 47.4% 		June 22, 2023
Roundcube Webmail Remote Code Execution Vulnerability Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVE-2020-12641 Exploit Probability: 93.5% 		June 22, 2023
Roundcube Webmail SQL Injection Vulnerability Roundcube Webmail is vulnerable to SQL injection via search or search_params.
CVE-2021-44026 Exploit Probability: 57.0% 		June 22, 2023
Roundcube Webmail File Disclosure Vulnerability Allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
CVE-2017-16651 Exploit Probability: 33.4% 		November 3, 2021

Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Roundcube vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 2 vulnerabilities in Roundcube. Last year, in 2024 Roundcube had 5 security vulnerabilities published. Right now, Roundcube is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 2 0.00
2024 5 8.23
2023 3 6.10
2022 1 6.10
2021 5 6.42
2020 9 6.99
2019 2 5.85
2018 5 7.16

It may take a day or so for new Roundcube vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Roundcube Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-49113 Jun 02, 2025
RCE in Roundcube <1.6.11 via Unvalidated _from Param (PHP OD) Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Roundcube
CVE-2024-57004 Feb 03, 2025
XSS via Attachment Upload in Roundcube Webmail 1.6.9 Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
Webmail
CVE-2024-42008 Aug 05, 2024
XSS in Roundcube 1.5.7/1.6.7 rcmail_action_mail_get A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
Webmail
CVE-2024-42009 Aug 05, 2024
XSS via message_body desanitization in Roundcube <=1.6.7 (CVE-2024-42009) A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Webmail
Roundcube
CVE-2024-37383 Jun 07, 2024
Roundcube Webmail XSS via SVG animate (<=1.5.6/1.6.6) Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
Webmail
CVE-2024-37385 Jun 07, 2024
Roundcube <=1.5.7 & 1.6.x <=1.6.7 CmdInject via im_convert/im_identify Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
Webmail
CVE-2024-37384 Jun 07, 2024
Roundcube Webmail <=1.5.7/1.6.x<1.6.7 XSS via user preference list columns Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
Webmail
CVE-2023-47272 Nov 06, 2023
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
Webmail
CVE-2023-5631 Oct 18, 2023
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
Webmail
Roundcube
CVE-2023-43770 Sep 22, 2023
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Webmail
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.