cbcvebase.
CVE-2025-68461
published 2025-12-18

CVE-2025-68461: Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-13
Exploited in the wild
EPSS
19.77%
97.1th percentile
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianroundcube< roundcube 1.6.5+dfsg-1+deb12u6 (bookworm)roundcube 1.6.5+dfsg-1+deb12u6 (bookworm)
roundcubewebmail< 1.5.121.5.12
roundcubewebmail>= 1.6.0 < 1.6.121.6.12

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
  • Detect XSS exploitation attempts via the SVG <animate> tag in email content processed by Roundcube Webmail
  • Inspect inbound emails for SVG attachments or inline SVG content containing <animate> tags as a potential attack vector for session hijacking or credential theft
  • Flag Roundcube Webmail instances running versions prior to 1.5.12 or 1.6.x prior to 1.6.12 as vulnerable; over 46,000 instances are internet-accessible per Shodan
  • CVE-2025-68461 is actively exploited in the wild per CISA KEV; treat any Roundcube XSS alert involving SVG content as high-priority triage
  • ·Exploitation requires user interaction — the victim must open an email containing a malicious SVG attachment or view inline SVG content; this limits automated exploitation but does not reduce severity in phishing scenarios
  • ·The vulnerability affects Roundcube Webmail 1.5.x before 1.5.12 and 1.6.x before 1.6.12; Debian stable (bookworm) ships a backported fix in 1.6.5+dfsg-1+deb12u6, not the upstream version number

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck7.2HIGH
cisa6.1MEDIUM
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.