Roundcube

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Roundcube product.

RSS Feeds for Roundcube security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Roundcube products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Roundcube Sorted by Most Security Vulnerabilities since 2018

Roundcube Webmail55 vulnerabilities

Roundcube12 vulnerabilities

Known Exploited Roundcube Vulnerabilities

The following Roundcube vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
RoundCube Webmail Deserialization of Untrusted Data Vulnerability	RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. CVE-2025-49113 Exploit Probability: 89.2%	February 20, 2026
RoundCube Webmail Cross-site Scripting Vulnerability	RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document. CVE-2025-68461 Exploit Probability: 19.8%	February 20, 2026
RoundCube Webmail Cross-Site Scripting Vulnerability	RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. CVE-2024-42009 Exploit Probability: 82.9%	June 9, 2025
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability	RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code. CVE-2024-37383 Exploit Probability: 73.3%	October 24, 2024
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability	Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment. CVE-2020-13965 Exploit Probability: 76.6%	June 26, 2024
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability	Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages. CVE-2023-43770 Exploit Probability: 56.9%	February 12, 2024
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability	Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code. CVE-2023-5631 Exploit Probability: 70.9%	October 26, 2023
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability	Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php. CVE-2020-35730 Exploit Probability: 32.4%	June 22, 2023
Roundcube Webmail Remote Code Execution Vulnerability	Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. CVE-2020-12641 Exploit Probability: 84.5%	June 22, 2023
Roundcube Webmail SQL Injection Vulnerability	Roundcube Webmail is vulnerable to SQL injection via search or search_params. CVE-2021-44026 Exploit Probability: 42.9%	June 22, 2023
Roundcube Webmail File Disclosure Vulnerability	Allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. CVE-2017-16651 Exploit Probability: 42.8%	November 3, 2021

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Roundcube vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 20 vulnerabilities in Roundcube with an average score of 5.5 out of ten. Last year, in 2025 Roundcube had 4 security vulnerabilities published. That is, 16 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.64

Year	Vulnerabilities	Average Score
2026	20	5.46
2025	4	8.10
2024	5	8.23
2023	3	6.10
2022	1	6.10
2021	5	7.10
2020	9	6.88
2019	2	4.30
2018	5	7.48

It may take a day or so for new Roundcube vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Roundcube Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-9818	May 28, 2026	Roundcube HTML Sanitization Allows Loopback URLs	Webmail
CVE-2026-48849	May 25, 2026	Roundcube Webmail 1.6.x <1.6.16 & 1.7.x <1.7.1 XSS via Unsanitized Subject In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.	Webmail
CVE-2026-48848	May 25, 2026	Roundcube <=1.7 HTML Sanitization Flaw: CSS Injection via SVG animate(attributeName) Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.	Webmail
CVE-2026-48847	May 25, 2026	Roundcube Webmail 1.6.x<1.6.16/1.7.x<1.7.1 Pre-Auth Arbitrary File Deletion via Redis/Memcache Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.	Webmail
CVE-2026-48846	May 25, 2026	CVE-2026-48846 Roundcube: Remote Image Blocking Bypass via CSS var() In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.	Webmail
CVE-2026-48845	May 25, 2026	Remote Img Block Bypass: Roundcube 1.6.14-1.6.16 & 1.7.x<1.7.1 In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.	Webmail
CVE-2026-48844	May 25, 2026	Roundcube Webmail LDAP Autovalues Code Injection Before v1.6.16 & v1.7.1 Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)	Webmail
CVE-2026-48843	May 25, 2026	Roundcube Webmail 1.6.x 1.6.141.6.16 & 1.7.x<1.7.1: CSS SSRF/InfoLeak Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.	Webmail
CVE-2026-48842	May 25, 2026	Pre-Authentication SQL Injection in Roundcube virtuser_query Plugin (1.6.x<1.6.16, 1.7.x<1.7.1) Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.	Webmail
CVE-2026-35545	Apr 03, 2026	Roundcube Webmail SVG img block bypass <1.5.15/1.6.15 An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.	Webmail