CVE-2026-48848
published 2026-05-25CVE-2026-48848: Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an…
PriorityP340high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EPSS
0.39%
30.6th percentile
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| roundcube | webmail | >= 1.6.0 < 1.6.16 | 1.6.16 |
| roundcube | webmail | >= 1.7.0 < 1.7.1 | 1.7.1 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvelistv5v3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p64r-9rcj-x33x: Roundcube Webmail 1
ghsa_unreviewed·2026-05-26
CVE-2026-48848 [HIGH] CWE-79 GHSA-p64r-9rcj-x33x: Roundcube Webmail 1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
CVEList
CVE-2026-48848: Roundcube Webmail 1
cvelistv5·2026-05-25·CVSS 7.2
CVE-2026-48848 [HIGH] CWE-79 CVE-2026-48848: Roundcube Webmail 1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
VulDB
Roundcube Webmail up to 1.6.15/1.7.0 SVG Document attributeName cross site scripting (EUVD-2026-31727)
vuldb·2026-05-25
CVE-2026-48848 [LOW] Roundcube Webmail up to 1.6.15/1.7.0 SVG Document attributeName cross site scripting (EUVD-2026-31727)
A vulnerability described as problematic has been identified in Roundcube Webmail up to 1.6.15/1.7.0. Affected by this vulnerability is an unknown functionality of the component SVG Document Handler. Such manipulation of the argument attributeName leads to cross site scripting.
This vulnerability is uniquely identified as CVE-2026-48848. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [epel-all]
bugzilla·2026-05-26·CVSS 7.2
CVE-2026-48848 [HIGH] CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [epel-all]
CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all]
bugzilla·2026-05-26·CVSS 7.2
CVE-2026-48848 [HIGH] CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all]
CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute
bugzilla·2026-05-25·CVSS 7.2
CVE-2026-48848 [HIGH] CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute
CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9https://github.com/roundcube/roundcubemail/releases/tag/1.6.16https://github.com/roundcube/roundcubemail/releases/tag/1.7.1https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
2026-05-25
Published