Roundcube Roundcube

  1. Vendors
  2. Roundcube

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Roundcube product.

RSS Feeds for Roundcube security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Roundcube products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Roundcube Sorted by Most Security Vulnerabilities since 2018

Roundcube Webmail46 vulnerabilities

Roundcube12 vulnerabilities

Known Exploited Roundcube Vulnerabilities

The following Roundcube vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
RoundCube Webmail Deserialization of Untrusted Data Vulnerability RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
CVE-2025-49113 Exploit Probability: 91.6% 		February 20, 2026
RoundCube Webmail Cross-site Scripting Vulnerability RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.
CVE-2025-68461 Exploit Probability: 6.8% 		February 20, 2026
RoundCube Webmail Cross-Site Scripting Vulnerability RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
CVE-2024-42009 Exploit Probability: 91.4% 		June 9, 2025
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.
CVE-2024-37383 Exploit Probability: 64.0% 		October 24, 2024
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.
CVE-2020-13965 Exploit Probability: 71.8% 		June 26, 2024
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.
CVE-2023-43770 Exploit Probability: 80.4% 		February 12, 2024
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.
CVE-2023-5631 Exploit Probability: 85.1% 		October 26, 2023
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
CVE-2020-35730 Exploit Probability: 64.8% 		June 22, 2023
Roundcube Webmail Remote Code Execution Vulnerability Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVE-2020-12641 Exploit Probability: 93.1% 		June 22, 2023
Roundcube Webmail SQL Injection Vulnerability Roundcube Webmail is vulnerable to SQL injection via search or search_params.
CVE-2021-44026 Exploit Probability: 72.5% 		June 22, 2023
Roundcube Webmail File Disclosure Vulnerability Allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
CVE-2017-16651 Exploit Probability: 37.3% 		November 3, 2021

Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Roundcube vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 11 vulnerabilities in Roundcube with an average score of 4.8 out of ten. Last year, in 2025 Roundcube had 4 security vulnerabilities published. That is, 7 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 3.31




Year Vulnerabilities Average Score
2026 11 4.79
2025 4 8.10
2024 5 8.23
2023 3 6.10
2022 1 6.10
2021 5 7.10
2020 9 6.88
2019 2 4.30
2018 5 7.48

It may take a day or so for new Roundcube vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Roundcube Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-35545 Apr 03, 2026
Roundcube Webmail SVG img block bypass <1.5.15/1.6.15 An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Webmail
CVE-2026-35544 Apr 03, 2026
Roundcube Webmail <1.5.14/1.6.14 CSS Sanitization Bypass via !important An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Webmail
CVE-2026-35543 Apr 03, 2026
Roundcube Webmail <1.5.14/1.6.14: SVG Image Blocking Bypass via animate attrs An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Webmail
CVE-2026-35542 Apr 03, 2026
Roundcube 1.6.13 Remote Image Block Bypass via BODY background An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Webmail
CVE-2026-35541 Apr 03, 2026
Roundcube <1.6.14 Password Plugin Type Confusion Enables Password Change An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Webmail
CVE-2026-35540 Apr 03, 2026
Roundcube 1.6.0bef.1.6.14: CSS SSRF/Info Disclosure An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
Webmail
CVE-2026-35539 Apr 03, 2026
XSS in Roundcube <1.5.14/1.6.14 via HTML attachment preview An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
Webmail
CVE-2026-35538 Apr 03, 2026
Roundcube Webmail <1.5.14/1.6.14: IMAP Injection & CSRF via UNSCANNED SEARCH An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Webmail
CVE-2026-35537 Apr 03, 2026
Roundcube <1.5.14/1.6.14 unsafe deserialization: arb file write via session An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
Webmail
CVE-2026-26079 Feb 11, 2026
Roundcube Webmail CSS Injection v1.5.13/1.6.13 (CVE-2026-26079) Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Webmail
Roundcube
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.