CVE-2026-26079
published 2026-02-11CVE-2026-26079: Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
PriorityP427medium4.7CVSS 3.1
AVNACLPRNUIRSCCLINAN
EPSS
0.29%
20.8th percentile
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u7 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u7 (bookworm) |
| roundcube | webmail | < 1.5.13 | 1.5.13 |
| roundcube | webmail | >= 1.6.0 < 1.6.13 | 1.6.13 |
| ubuntu | roundcube | — | — |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
osv4.7MEDIUM
vendor_ubuntu7.4HIGH
vendor_debian4.7MEDIUM
vendor_redhat4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pw24-qgf8-7qm8: Roundcube Webmail before 1
ghsa_unreviewed·2026-02-11
CVE-2026-26079 [MEDIUM] CWE-829 GHSA-pw24-qgf8-7qm8: Roundcube Webmail before 1
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
OSV
CVE-2026-26079: Roundcube Webmail before 1
osv·2026-02-11·CVSS 4.7
CVE-2026-26079 [MEDIUM] CVE-2026-26079: Roundcube Webmail before 1
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-04-29·CVSS 7.4
CVE-2024-42010 [HIGH] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail mishandled Punycode xn-- domain names.
An attacker could possibly use this issue to cause a homograph attack. (CVE-2019-15237)
It was discovered that Roundcube Webmail did not properly sanitize certain
attributes when handling CSS within HTML messages and certain SVG attributes.
An attacker could possibly use this issue to cause a cross-site scripting attack.
(CVE-2024-38356, CVE-2024-38357)
It was discovered that Roundcube Webmail did not properly sanitize certain HTML
attributes when rendering e-mail messages. An attacker could possibly use this
issue to cause a cross-site scripting attack. (CVE-2024-42008)
It was discovered that Roundcu
Red Hat
roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments
vendor_redhat·2026-02-11·CVSS 4.7
CVE-2026-26079 [MEDIUM] CWE-79 roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments
roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
A flaw was found in Roundcube Webmail. This vulnerability allows for Cascading Style Sheets (CSS) injection, a technique where an attacker can inject malicious styling code into a web page. This occurs due to the application mishandling comments. Successful exploitation could lead to the disclosure of sensitive information.
Statement: MODERATE: This flaw in Roundcube Webmail allows for Cascading Style Sheets (CSS) injection due to mishandled comments. This could potentially lead to information disclosure or defacement within the webmail interface when pr
Debian
CVE-2026-26079: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style She...
vendor_debian·2026·CVSS 4.7
CVE-2026-26079 [MEDIUM] CVE-2026-26079: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style She...
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u7)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u7)
forky: resolved (fixed in 1.6.13+dfsg-1)
sid: resolved (fixed in 1.6.13+dfsg-1)
trixie: resolved (fixed in 1.6.13+dfsg-0+deb13u1)
No detection rules found.
No public exploits indexed.
https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cdehttps://github.com/roundcube/roundcubemail/releases/tag/1.5.13https://github.com/roundcube/roundcubemail/releases/tag/1.6.13https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
2026-02-11
Published