Roundcube Webmail
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Roundcube Webmail.
Known Exploited Roundcube Webmail Vulnerabilities
The following Roundcube Webmail vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| RoundCube Webmail Deserialization of Untrusted Data Vulnerability |
RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. CVE-2025-49113 Exploit Probability: 91.6% |
February 20, 2026 |
| RoundCube Webmail Cross-site Scripting Vulnerability |
RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document. CVE-2025-68461 Exploit Probability: 6.8% |
February 20, 2026 |
| RoundCube Webmail Cross-Site Scripting Vulnerability |
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. CVE-2024-42009 Exploit Probability: 91.4% |
June 9, 2025 |
| RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability |
RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code. CVE-2024-37383 Exploit Probability: 64.5% |
October 24, 2024 |
| Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability |
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment. CVE-2020-13965 Exploit Probability: 71.8% |
June 26, 2024 |
| Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability |
Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages. CVE-2023-43770 Exploit Probability: 80.7% |
February 12, 2024 |
| Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability |
Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code. CVE-2023-5631 Exploit Probability: 83.4% |
October 26, 2023 |
Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 2 known exploited Roundcube Webmail vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 11 vulnerabilities in Roundcube Webmail with an average score of 4.8 out of ten. Last year, in 2025 Webmail had 4 security vulnerabilities published. That is, 7 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 3.31
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 11 | 4.79 |
| 2025 | 4 | 8.10 |
| 2024 | 5 | 8.23 |
| 2023 | 3 | 6.10 |
| 2022 | 0 | 0.00 |
| 2021 | 5 | 7.10 |
| 2020 | 9 | 6.88 |
| 2019 | 2 | 4.30 |
| 2018 | 5 | 7.48 |
It may take a day or so for new Webmail vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Roundcube Webmail Security Vulnerabilities
Roundcube Webmail SVG img block bypass <1.5.15/1.6.15
CVE-2026-35545
5.3 - Medium
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Incorrect Resource Transfer Between Spheres
Roundcube Webmail <1.5.14/1.6.14 CSS Sanitization Bypass via !important
CVE-2026-35544
5.3 - Medium
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Incorrect Resource Transfer Between Spheres
Roundcube Webmail <1.5.14/1.6.14: SVG Image Blocking Bypass via animate attrs
CVE-2026-35543
5.3 - Medium
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Incorrect Resource Transfer Between Spheres
Roundcube 1.6.13 Remote Image Block Bypass via BODY background
CVE-2026-35542
5.3 - Medium
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Incorrect Resource Transfer Between Spheres
Roundcube <1.6.14 Password Plugin Type Confusion Enables Password Change
CVE-2026-35541
4.2 - Medium
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Object Type Confusion
Roundcube 1.6.0bef.1.6.14: CSS SSRF/Info Disclosure
CVE-2026-35540
5.4 - Medium
- April 03, 2026
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
Incorrect Resource Transfer Between Spheres
XSS in Roundcube <1.5.14/1.6.14 via HTML attachment preview
CVE-2026-35539
6.1 - Medium
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
XSS
Roundcube Webmail <1.5.14/1.6.14: IMAP Injection & CSRF via UNSCANNED SEARCH
CVE-2026-35538
3.1 - Low
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Argument Injection
Roundcube <1.5.14/1.6.14 unsafe deserialization: arb file write via session
CVE-2026-35537
3.7 - Low
- April 03, 2026
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
Marshaling, Unmarshaling
Roundcube Webmail CSS Injection v1.5.13/1.6.13 (CVE-2026-26079)
CVE-2026-26079
4.7 - Medium
- February 11, 2026
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Inclusion of Functionality from Untrusted Control Sphere
Roundcube <1.5.13/1.6.13 fails to block SVG feImage when Block remote images enabled
CVE-2026-25916
4.3 - Medium
- February 09, 2026
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Unprotected Alternate Channel
CVE-2025-68461 XSS via SVG animate tag in Roundcube Webmail <1.5.12 / <1.6.12
CVE-2025-68461
7.2 - High
- December 18, 2025
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
XSS
Roundcube Webmail 1.5.12 & 1.6.12 info disclosure via HTML style sanitizer
CVE-2025-68460
7.2 - High
- December 18, 2025
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
Output Sanitization
RCE in Roundcube <1.6.11 via Unvalidated _from Param (PHP OD)
CVE-2025-49113
9.9 - Critical
- June 02, 2025
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Marshaling, Unmarshaling
XSS via Attachment Upload in Roundcube Webmail 1.6.9
CVE-2024-57004
- February 03, 2025
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
XSS in Roundcube 1.5.7/1.6.7 rcmail_action_mail_get
CVE-2024-42008
9.3 - Critical
- August 05, 2024
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
XSS
XSS via message_body desanitization in Roundcube <=1.6.7 (CVE-2024-42009)
CVE-2024-42009
9.3 - Critical
- August 05, 2024
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
XSS
Roundcube Webmail <=1.5.7/1.6.x<1.6.7 XSS via user preference list columns
CVE-2024-37384
- June 07, 2024
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
Roundcube <=1.5.7 & 1.6.x <=1.6.7 CmdInject via im_convert/im_identify
CVE-2024-37385
- June 07, 2024
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
Roundcube Webmail XSS via SVG animate (<=1.5.6/1.6.6)
CVE-2024-37383
6.1 - Medium
- June 07, 2024
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
XSS
Roundcube XSS via Header before 1.5.6/1.6.5 (Content-Type/Disposition)
CVE-2023-47272
6.1 - Medium
- November 06, 2023
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
XSS
Roundcube <=1.4.15/1.5.x<1.5.5/1.6.x<1.6.4 Stored XSS via SVG in HTML mail
CVE-2023-5631
6.1 - Medium
- October 18, 2023
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
XSS
Roundcube<1.4.14,1.5.x<1.5.4,1.6.x<1.6.3 XSS via plain email links (rcube_string_replacer.php)
CVE-2023-43770
6.1 - Medium
- September 22, 2023
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
XSS
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
CVE-2021-44025
6.1 - Medium
- November 19, 2021
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
XSS
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection
CVE-2021-44026
9.8 - Critical
- November 19, 2021
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
SQL Injection
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4
CVE-2020-18670
- June 24, 2021
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4
CVE-2020-18671
- June 24, 2021
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
Roundcube before 1.4.11
CVE-2021-26925
5.4 - Medium
- February 09, 2021
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
XSS
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10
CVE-2020-35730
6.1 - Medium
- December 28, 2020
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
XSS
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document
CVE-2020-16145
- August 12, 2020
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7
CVE-2020-15562
6.1 - Medium
- July 06, 2020
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
XSS
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5
CVE-2020-13964
6.1 - Medium
- June 09, 2020
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
XSS
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5
CVE-2020-13965
6.3 - Medium
- June 09, 2020
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
Basic XSS
Roundcube Webmail before 1.4.4
CVE-2020-12640
- May 04, 2020
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
rcube_image.php in Roundcube Webmail before 1.4.4
CVE-2020-12641
9.8 - Critical
- May 04, 2020
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Shell injection
An issue was discovered in Roundcube Webmail before 1.4.4
CVE-2020-12625
- May 04, 2020
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
An issue was discovered in Roundcube Webmail before 1.4.4
CVE-2020-12626
- May 04, 2020
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names
CVE-2019-15237
- August 20, 2019
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails
CVE-2019-10740
4.3 - Medium
- April 07, 2019
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.
Cleartext Transmission of Sensitive Information
steps/mail/func.inc in Roundcube before 1.3.8 has XSS
CVE-2018-19206
6.1 - Medium
- November 12, 2018
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
XSS
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings
CVE-2018-19205
7.5 - High
- November 12, 2018
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php.
Information Disclosure
The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack
CVE-2017-17688
- May 16, 2018
The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification
In Roundcube from versions 1.2.0 to 1.3.5
CVE-2018-9846
8.8 - High
- April 07, 2018
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Improper Input Validation
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin
CVE-2018-1000071
7.5 - High
- March 13, 2018
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.
Incorrect Permission Assignment for Critical Resource
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3
CVE-2017-16651
7.8 - High
- November 09, 2017
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
Files or Directories Accessible to External Parties
Roundcube Webmail allows arbitrary password resets by authenticated users
CVE-2017-8114
- April 29, 2017
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Roundcube Webmail or by Roundcube? Click the Watch button to subscribe.
