⚠ Actively exploited

Added to CISA KEV on 2026-02-20. Federal agencies required to patch by 2026-03-13. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-68461 — Cross-site Scripting in Webmail

CWE-79 — Cross-site Scripting11 documents11 sources

Severity

6.1MEDIUMNVD

CNA7.2VulnCheck7.2

EPSS

6.8%

top 8.63%

CISA KEV

KEV

Added 2026-02-20

Due 2026-03-13

Exploit

No known exploits

Affected products

Roundcube Webmail

Timeline

PublishedDec 18

KEV addedFeb 20

KEV dueMar 13

Latest updateMar 16

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5roundcube/webmail1.6.0 — 1.6.12+1

▶NVDroundcube/webmail1.6.0 — 1.6.12+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

CVE-2025-68461: Roundcube Webmail before 1↗2025-12-18

▶

GHSA

GHSA-qqrg-hpxx-mmvw: Roundcube Webmail before 1↗2025-12-18

▶

OSV

CVE-2025-68461: Roundcube Webmail before 1↗2025-12-18

▶

VulnCheck

RoundCube Webmail Cross-site Scripting Vulnerability↗2025

▶

📋Vendor Advisories

Ubuntu

Roundcube Webmail vulnerabilities↗2026-03-16

▶

CISA

RoundCube Webmail Cross-site Scripting Vulnerability↗2026-02-20

▶

Red Hat

roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag↗2025-12-18

▶

Debian

CVE-2025-68461: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-S...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68461 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶