Roundcube
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Roundcube.
By the Year
In 2025 there have been 1 vulnerability in Roundcube. Last year, in 2024 Roundcube had 1 security vulnerability published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 1 | 0.00 |
| 2024 | 1 | 9.30 |
| 2023 | 1 | 6.10 |
| 2022 | 1 | 6.10 |
| 2021 | 3 | 5.40 |
| 2020 | 1 | 6.10 |
| 2019 | 0 | 0.00 |
| 2018 | 2 | 6.80 |
It may take a day or so for new Roundcube vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Roundcube Security Vulnerabilities
RCE in Roundcube <1.6.11 via Unvalidated _from Param (PHP OD)
CVE-2025-49113
- June 02, 2025
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Marshaling, Unmarshaling
XSS via message_body desanitization in Roundcube <=1.6.7 (CVE-2024-42009)
CVE-2024-42009
9.3 - Critical
- August 05, 2024
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
XSS
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4
CVE-2023-5631
6.1 - Medium
- October 18, 2023
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
XSS
Roundcube before 1.4.13 and 1.5.x before 1.5.2
CVE-2021-46144
6.1 - Medium
- January 06, 2022
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.
XSS
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4
CVE-2020-18671
5.4 - Medium
- June 24, 2021
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
XSS
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4
CVE-2020-18670
5.4 - Medium
- June 24, 2021
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
XSS
Roundcube before 1.4.11
CVE-2021-26925
5.4 - Medium
- February 09, 2021
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
XSS
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10
CVE-2020-35730
6.1 - Medium
- December 28, 2020
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
XSS
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings
CVE-2018-19205
7.5 - High
- November 12, 2018
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php.
Information Disclosure
steps/mail/func.inc in Roundcube before 1.3.8 has XSS
CVE-2018-19206
6.1 - Medium
- November 12, 2018
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
XSS
