CVE-2025-68460
published 2025-12-18CVE-2025-68460: Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.24%
15.5th percentile
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u6 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u6 (bookworm) |
| roundcube | webmail | < 1.5.12 | 1.5.12 |
| roundcube | webmail | >= 1.6.0 < 1.6.12 | 1.6.12 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer
vendor_redhat·2025-12-18·CVSS 7.2
CVE-2025-68460 [HIGH] CWE-116 roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer
roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
A flaw was found in Roundcube Webmail. This information disclosure vulnerability resides within the HTML style sanitizer, potentially allowing an attacker to gain unauthorized access to sensitive information. The vulnerability is triggered by improper handling of HTML styles.
Statement: This vulnerability is rated Low for Red Hat. The information disclosure flaw in Roundcube Webmail's HTML style sanitizer requires user interaction to exploit, limiting its impact in typical Red Hat deployments.
Debian
CVE-2025-68460: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information ...
vendor_debian·2025·CVSS 7.2
CVE-2025-68460 [HIGH] CVE-2025-68460: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information ...
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u6)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u6)
forky: resolved (fixed in 1.6.12+dfsg-1)
sid: resolved (fixed in 1.6.12+dfsg-1)
trixie: resolved (fixed in 1.6.12+dfsg-0+deb13u1)
OSV
CVE-2025-68460: Roundcube Webmail before 1
osv·2025-12-18·CVSS 7.5
CVE-2025-68460 [HIGH] CVE-2025-68460: Roundcube Webmail before 1
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
GHSA
GHSA-365w-7p77-9f2q: Roundcube Webmail before 1
ghsa_unreviewed·2025-12-18
CVE-2025-68460 [HIGH] CWE-116 GHSA-365w-7p77-9f2q: Roundcube Webmail before 1
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
No detection rules found.
No public exploits indexed.
2025-12-18
Published