cbcvebase.

Debian Roundcube vulnerabilities

78 known vulnerabilities affecting debian/roundcube.

Total CVEs
78
CISA KEV
11
actively exploited
Public exploits
13
Exploited in wild
12
Severity breakdown
CRITICAL4HIGH14MEDIUM46LOW14

Vulnerabilities

Page 1 of 4
CVE-2025-49113P1CRITICALCVSS 9.9KEVPoCfixed in roundcube 1.6.5+dfsg-1+deb12u5 (bookworm)2025
CVE-2025-49113 [CRITICAL] CVE-2025-49113: roundcube - Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execu... Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u5) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u5) for
debian
CVE-2020-12641P1LOWCVSS 9.8KEVPoCfixed in roundcube 1.4.4+dfsg.1-1 (bookworm)2020
CVE-2020-12641 [CRITICAL] CVE-2020-12641: roundcube - rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute ar... rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. Scope: local bookworm: resolved (fixed in 1.4.4+dfsg.1-1) bullseye: resolved (fixed in 1.4.4+dfsg.1-1) forky: resolved (fixed in 1.4.4+dfsg.1-1) sid: resolved (fixed in 1.4.4+d
debian
CVE-2024-42009P1CRITICALCVSS 9.3KEVPoCfixed in roundcube 1.6.5+dfsg-1+deb12u3 (bookworm)2024
CVE-2024-42009 [CRITICAL] CVE-2024-42009: roundcube - A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x throug... A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u3) bullseye: resolved (fixed in 1.4
debian
CVE-2021-44026P1CRITICALCVSS 9.8KEVPoCfixed in roundcube 1.5.0+dfsg.1-1 (bookworm)2021
CVE-2021-44026 [CRITICAL] CVE-2021-44026: roundcube - Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL inje... Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. Scope: local bookworm: resolved (fixed in 1.5.0+dfsg.1-1) bullseye: resolved (fixed in 1.4.12+dfsg.1-1~deb11u1) forky: resolved (fixed in 1.5.0+dfsg.1-1) sid: resolved (fixed in 1.5.0+dfsg.1-1) trixie: resolved (fixed in 1.5.0+dfsg.1-1)
debian
CVE-2024-37383P1MEDIUMCVSS 6.1KEVPoCfixed in roundcube 1.6.5+dfsg-1+deb12u2 (bookworm)2024
CVE-2024-37383 [MEDIUM] CVE-2024-37383: roundcube - Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate... Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u2) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u3) forky: resolved (fixed in 1.6.7+dfsg-1) sid: resolved (fixed in 1.6.7+dfsg-1) trixie: resolved (fixed in 1.6.7+dfsg-1)
debian
CVE-2017-16651P1HIGHCVSS 7.8KEVPoCfixed in roundcube 1.3.3+dfsg.1-1 (bookworm)2017
CVE-2017-16651 [HIGH] CVE-2017-16651: roundcube - Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allo... Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issu
debian
CVE-2023-43770P1MEDIUMCVSS 6.1KEVPoCfixed in roundcube 1.6.3+dfsg-1~deb12u1 (bookworm)2023
CVE-2023-43770 [MEDIUM] CVE-2023-43770: roundcube - Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS v... Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. Scope: local bookworm: resolved (fixed in 1.6.3+dfsg-1~deb12u1) bullseye: resolved (fixed in 1.4.14+dfsg.1-1~deb11u1) forky: resolved (fixed in 1.6.3+dfsg-1) sid: res
debian
CVE-2020-35730P1MEDIUMCVSS 6.1KEVPoCfixed in roundcube 1.4.10+dfsg.1-1 (bookworm)2020
CVE-2020-35730 [MEDIUM] CVE-2020-35730: roundcube - An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3... An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. Scope: local bookworm: resolved (fixed in 1.4.10+dfsg.1-1) bullseye: resolved (fixed in 1.
debian
CVE-2020-13965P1MEDIUMCVSS 6.1KEVfixed in roundcube 1.4.5+dfsg.1-1 (bookworm)2020
CVE-2020-13965 [MEDIUM] CVE-2020-13965: roundcube - An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.... An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. Scope: local bookworm: resolved (fixed in 1.4.5+dfsg.1-1) bullseye: resolved (fixed in 1.4.5+dfsg.1-1) forky: resolved (fixed in 1.4.5+dfsg.1-1) sid: resolved (fixed in 1.4.5+dfs
debian
CVE-2023-5631P1MEDIUMCVSS 6.1KEVfixed in roundcube 1.6.4+dfsg-1~deb12u1 (bookworm)2023
CVE-2023-5631 [MEDIUM] CVE-2023-5631: roundcube - Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows store... Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. Scope: local bookworm: resolved (fixed in 1.6.4+dfsg-1~deb12u1) bullseye: resolved (fixed in 1
debian
CVE-2025-68461P2HIGHCVSS 7.2KEVfixed in roundcube 1.6.5+dfsg-1+deb12u6 (bookworm)2025
CVE-2025-68461 [HIGH] CVE-2025-68461: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-S... Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u6) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u6) forky: resolved (fixed in 1.6.12+dfsg-1) sid: resolved (fixed in 1.6.12+dfsg-1) trixie: resolved (f
debian
CVE-2013-1904P2MEDIUMCVSS 5.0Exploitedfixed in roundcube 0.7.2-9 (bookworm)2013
CVE-2013-1904 [MEDIUM] CVE-2013-1904: roundcube - Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube We... Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013. Scope: local bookworm: resolved (fixe
debian
CVE-2008-5619P2HIGHCVSS 10.0PoCfixed in roundcube 0.1.1-9 (bookworm)2008
CVE-2008-5619 [CRITICAL] CVE-2008-5619: roundcube - html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5... html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. Scope: local bookworm: resolved (fixed in 0.1.1-
debian
CVE-2015-8770P2HIGHCVSS 7.5PoCfixed in roundcube 1.1.4+dfsg.1-1 (bookworm)2015
CVE-2015-8770 [HIGH] CVE-2015-8770: roundcube - Directory traversal vulnerability in the set_skin function in program/include/rc... Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php. Scope: local bookworm: resolved (fixed in 1.
debian
CVE-2024-42010P3HIGHCVSS 7.5fixed in roundcube 1.6.5+dfsg-1+deb12u3 (bookworm)2024
CVE-2024-42010 [HIGH] CVE-2024-42010: roundcube - mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently... mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u3) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u4) forky: resolved (fixed in
debian
CVE-2015-2180P2HIGHCVSS 8.8fixed in roundcube 1.1.1+dfsg.1-2 (bookworm)2015
CVE-2015-2180 [HIGH] CVE-2015-2180: roundcube - The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote... The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. Scope: local bookworm: resolved (fixed in 1.1.1+dfsg.1-2) bullseye: resolved (fixed in 1.1.1+dfsg.1-2) forky: resolved (fixed in 1.1.1+dfsg.1-2) sid: resolved (fixed in 1.1.1+dfsg.1-2) trixie: resolved (fi
debian
CVE-2024-42008P3CRITICALCVSS 9.3fixed in roundcube 1.6.5+dfsg-1+deb12u3 (bookworm)2024
CVE-2024-42008 [CRITICAL] CVE-2024-42008: roundcube - A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcu... A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u3) bullseye: resolved (fixed in 1.4.15+
debian
CVE-2020-12640P3LOWCVSS 9.8fixed in roundcube 1.4.4+dfsg.1-1 (bookworm)2020
CVE-2020-12640 [CRITICAL] CVE-2020-12640: roundcube - Roundcube Webmail before 1.4.4 allows attackers to include local files and execu... Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. Scope: local bookworm: resolved (fixed in 1.4.4+dfsg.1-1) bullseye: resolved (fixed in 1.4.4+dfsg.1-1) forky: resolved (fixed in 1.4.4+dfsg.1-1) sid: resolved (fixed in 1.4.4+dfsg.1-1) trixie: resolved (fixed
debian
CVE-2015-2181P3HIGHCVSS 8.8fixed in roundcube 1.1.1+dfsg.1-2 (bookworm)2015
CVE-2015-2181 [HIGH] CVE-2015-2181: roundcube - Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcu... Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. Scope: local bookworm: resolved (fixed in 1.1.1+dfsg.1-2) bullseye: resolved (fixed in 1.1.1+dfsg.1-2) forky: resolved (fixed in 1.1.1+dfsg.1-2) sid: resolved (fixed in 1.1.1+dfsg.1-2)
debian
CVE-2017-8114P3HIGHCVSS 8.8fixed in roundcube 1.2.3+dfsg.1-4 (bookworm)2017
CVE-2017-8114 [HIGH] CVE-2017-8114: roundcube - Roundcube Webmail allows arbitrary password resets by authenticated users. This ... Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. Scope: local bookworm: resolved (fixed in 1.2.3+dfsg.1-4) bullseye: resolved (fixed in 1.2.3+
debian
Debian Roundcube vulnerabilities | cvebase