CVE-2025-68461
published 2025-12-18CVE-2025-68461: Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-13
Exploited in the wild
EPSS
19.77%
97.1th percentile
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u6 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u6 (bookworm) |
| roundcube | webmail | < 1.5.12 | 1.5.12 |
| roundcube | webmail | >= 1.6.0 < 1.6.12 | 1.6.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XSS exploitation attempts via the SVG <animate> tag in email content processed by Roundcube Webmail ↗
- →Inspect inbound emails for SVG attachments or inline SVG content containing <animate> tags as a potential attack vector for session hijacking or credential theft ↗
- →Flag Roundcube Webmail instances running versions prior to 1.5.12 or 1.6.x prior to 1.6.12 as vulnerable; over 46,000 instances are internet-accessible per Shodan ↗
- →CVE-2025-68461 is actively exploited in the wild per CISA KEV; treat any Roundcube XSS alert involving SVG content as high-priority triage ↗
- ·Exploitation requires user interaction — the victim must open an email containing a malicious SVG attachment or view inline SVG content; this limits automated exploitation but does not reduce severity in phishing scenarios ↗
- ·The vulnerability affects Roundcube Webmail 1.5.x before 1.5.12 and 1.6.x before 1.6.12; Debian stable (bookworm) ships a backported fix in 1.6.5+dfsg-1+deb12u6, not the upstream version number ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck7.2HIGH
cisa6.1MEDIUM
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-03-16
CVE-2025-68461 Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Roundcube Webmail could be made to run arbitrary code via cross-site scripting.
It was discovered that Roundcube Webmail did not properly sanitize the
animate tag within SVG documents. An attacker could possibly use
this issue to cause a cross-site scripting attack.
Instructions: In general, a standard system update will make all the necessary changes.
CISA
RoundCube Webmail Cross-site Scripting Vulnerability
cisa·2026-02-20·CVSS 6.1
CVE-2025-68461 [MEDIUM] CWE-79 RoundCube Webmail Cross-site Scripting Vulnerability
Vulnerability: RoundCube Webmail Cross-site Scripting Vulnerability
Affected: Roundcube Webmail
RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 ; https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb ; https://nvd.nist.gov/vuln/detail/CVE-2025-68461
Remediation Due Date: 2026-03-13
Red Hat
roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag
vendor_redhat·2025-12-18·CVSS 7.2
CVE-2025-68461 [HIGH] CWE-79 roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag
roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Roundcube Webmail contains a Cross-Site Scripting (XSS) vulnerability in its SVG handling. The application fails to properly sanitize the tag within SVG documents, allowing attackers to inject malicious scripts, potentially enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim.
Statement: This flaw is rated Moderate because successful exploitation requires user interaction - the victim must open an email containing a malicious SVG attachment or view inline SVG content. While this limits the attack su
Debian
CVE-2025-68461: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-S...
vendor_debian·2025·CVSS 7.2
CVE-2025-68461 [HIGH] CVE-2025-68461: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-S...
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u6)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u6)
forky: resolved (fixed in 1.6.12+dfsg-1)
sid: resolved (fixed in 1.6.12+dfsg-1)
trixie: resolved (fixed in 1.6.12+dfsg-0+deb13u1)
GHSA
GHSA-qqrg-hpxx-mmvw: Roundcube Webmail before 1
ghsa_unreviewed·2025-12-18
CVE-2025-68461 [HIGH] CWE-79 GHSA-qqrg-hpxx-mmvw: Roundcube Webmail before 1
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
OSV
CVE-2025-68461: Roundcube Webmail before 1
osv·2025-12-18·CVSS 6.1
CVE-2025-68461 [MEDIUM] CVE-2025-68461: Roundcube Webmail before 1
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
VulnCheck
RoundCube Webmail Cross-site Scripting Vulnerability
vulncheck·2025·CVSS 7.2
CVE-2025-68461 [HIGH] CWE-79 RoundCube Webmail Cross-site Scripting Vulnerability
RoundCube Webmail Cross-site Scripting Vulnerability
RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.
Affected: Roundcube Roundcube Webmail
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-03-13
No detection rules found.
No public exploits indexed.
Checkpoint
2nd March – Threat Intelligence Report
blogs_checkpoint·2026-03-02
CVE-2025-59536 2nd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records f
Bleepingcomputer
CISA: Recently patched RoundCube flaws now exploited in attacks
blogs_bleepingcomputer·2026-02-23·CVSS 9.9
[CRITICAL] CISA: Recently patched RoundCube flaws now exploited in attacks
## CISA: Recently patched RoundCube flaws now exploited in attacks
## Sergiu Gatlan
CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks.
Roundcube Webmail is a web-based email client that has been the default mail interface for the widely used cPanel web hosting control panel since 2008.
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
Roundcube patched the second one ( CVE-2025-68461 ) tw
Wiz
CVE-2025-68461 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-68461 [HIGH] CVE-2025-68461 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68461 :
Linux Debian vulnerability analysis and mitigation
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Source : NVD
## 6.1
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 7.2
Affected Technologies
Linux Debian
Linux Ubuntu
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 91.3
Exploitation Probability (EPSS) 6.8
Affected packages and libraries
roundcube
roundcubemail
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Dec 18, 2025
Echo Severity MEDIUM Has Fix Added at: Dec 21, 2025
Ubuntu 18.04, 20.04, 22.04, 24.04 Severity HIGH Has
2025-12-18
Published
2026-02-20
Added to CISA KEV
Exploited in the wild