CVE-2026-26079Inclusion of Functionality from Untrusted Control Sphere in Webmail

CWE-829Inclusion of Functionality from Untrusted Control SphereCWE-79Cross-site Scripting7 documents7 sources
Severity
4.7MEDIUMNVD
EPSS
0.1%
top 77.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Roundcube Webmail
Timeline
PublishedFeb 11

Description

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5roundcube/webmail1.6.01.6.13+1

🔴Vulnerability Details

3
GHSA
GHSA-pw24-qgf8-7qm8: Roundcube Webmail before 12026-02-11
CVEList
CVE-2026-26079: Roundcube Webmail before 12026-02-11
OSV
CVE-2026-26079: Roundcube Webmail before 12026-02-11

📋Vendor Advisories

2
Red Hat
roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments2026-02-11
Debian
CVE-2026-26079: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style She...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-26079 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26079 — Roundcube Webmail vulnerability | cvebase