cbcvebase.

Debian Roundcube vulnerabilities

78 known vulnerabilities affecting debian/roundcube.

Total CVEs
78
CISA KEV
11
actively exploited
Public exploits
13
Exploited in wild
12
Severity breakdown
CRITICAL4HIGH14MEDIUM46LOW14

Vulnerabilities

Page 2 of 4
CVE-2016-9920P3HIGHCVSS 7.5fixed in roundcube 1.2.3+dfsg.1-1 (bookworm)2016
CVE-2016-9920 [HIGH] CVE-2016-9920: roundcube - steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when n... steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail me
debian
CVE-2018-19206P3MEDIUMCVSS 6.1fixed in roundcube 1.3.8+dfsg.1-1 (bookworm)2018
CVE-2018-19206 [MEDIUM] CVE-2018-19206: roundcube - steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><s... steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment. Scope: local bookworm: resolved (fixed in 1.3.8+dfsg.1-1) bullseye: resolved (fixed in 1.3.8+dfsg.1-1) forky: resolved (fixed in 1.3.8+dfsg.1-1) sid: resolved (fixed in 1.3.8+dfsg.1-1) trixie: resolved (f
debian
CVE-2026-35537P3LOWCVSS 3.7fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35537 [LOW] CVE-2026-35537: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe de... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved forky: resolved (fixed in 1.6.14+dfsg-1) sid: resolve
debian
CVE-2018-9846P3HIGHCVSS 8.8fixed in roundcube 1.3.6+dfsg.1-1 (bookworm)2018
CVE-2018-9846 [HIGH] CVE-2018-9846: roundcube - In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and c... In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily expl
debian
CVE-2013-6172P3HIGHCVSS 7.5fixed in roundcube 0.9.4-1.1 (bookworm)2013
CVE-2013-6172 [HIGH] CVE-2013-6172: roundcube - steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9... steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. Scope: local bookworm: resolved (fixed in 0.9.4-1.1) bullseye: resolved (fixed in 0.9.4-1.1)
debian
CVE-2026-35545P3MEDIUMCVSS 5.3fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35545 [MEDIUM] CVE-2026-35545: roundcube - An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot... An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bu
debian
CVE-2012-3508P4MEDIUMCVSS 4.3PoCfixed in roundcube 0.7.2-4 (bookworm)2012
CVE-2012-3508 [MEDIUM] CVE-2012-3508: roundcube - Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube... Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. Scope: local bookworm: resolved (fixed in 0.7.2-4) bullseye: resolved (fixed in 0.7.2-4) forky: resolved (fixed in 0.7.2-4)
debian
CVE-2012-4668P4MEDIUMCVSS 4.3PoCfixed in roundcube 0.7.2-4 (bookworm)2012
CVE-2012-4668 [MEDIUM] CVE-2012-4668: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier ... Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email. Scope: local bookworm: resolved (fixed in 0.7.2-4) bullseye: resolved (fixed in 0.7.2-4) forky: resolved (fixed in 0.7.2-4) sid: resolved (fixed in 0.7.2-4) trixie: resolved (fixed in 0.7.2-4)
debian
CVE-2025-68460P3HIGHCVSS 7.2fixed in roundcube 1.6.5+dfsg-1+deb12u6 (bookworm)2025
CVE-2025-68460 [HIGH] CVE-2025-68460: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information ... Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u6) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u6) forky: resolved (fixed in 1.6.12+dfsg-1) sid: resolved (fixed in 1.6.12+dfsg-1) trixie: resolved (fixed in 1.6.12+
debian
CVE-2016-4069P3HIGHCVSS 8.8fixed in roundcube 1.1.5+dfsg.1-1 (bookworm)2016
CVE-2016-4069 [HIGH] CVE-2016-4069: roundcube - Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.... Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. Scope: local bookworm: resolved (fixed in 1.1.5+dfsg.1-1) bullseye: resolved (fixed in 1.1.5+dfsg.1-1) forky: r
debian
CVE-2007-6321P4LOWCVSS 4.3PoCfixed in roundcube 0.1~rc2-6 (bookworm)2007
CVE-2007-6321 [MEDIUM] CVE-2007-6321: roundcube - Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09... Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via style sheets containing expression commands. Scope: local bookworm: resolved (fixed in 0.1~rc2-6) bullseye: resolved (fixed in 0.1~rc2-6) forky: resolved (fixed in 0
debian
CVE-2018-1000071P3LOWCVSS 7.5fixed in roundcube 1.3.10+dfsg.1-1 (bookworm)2018
CVE-2018-1000071 [HIGH] CVE-2018-1000071: roundcube - roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerabili... roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity. Scope: local bookworm: resolved (fixed in 1.3.10+dfsg.1-1) bullseye: resolved (fixed in 1.3.10+dfsg.1-1) forky: resolved (fixed in 1.3.10+dfsg.1-1)
debian
CVE-2015-5382P3MEDIUMCVSS 6.5fixed in roundcube 1.1.2+dfsg.1-1 (bookworm)2015
CVE-2015-5382 [MEDIUM] CVE-2015-5382: roundcube - program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x ... program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. Scope: local bookworm: resolved (fixed in 1.1.2+dfsg.1-1) bullseye: resolved (fixed in 1.1.2+dfsg.1-1) forky: resolved (fixed in 1.1.2+dfsg.1-1) sid: resolved (fixed in
debian
CVE-2018-19205P3MEDIUMCVSS 5.9fixed in roundcube 1.3.8+dfsg.1-1 (bookworm)2018
CVE-2018-19205 [MEDIUM] CVE-2018-19205: roundcube - Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which... Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. Scope: local bookworm: resolved (fixed in 1.3.8+dfsg.1-1) bullseye: resolved (fixed in 1.3.8+dfsg.1-1) forky: resolve
debian
CVE-2015-8794P3MEDIUMCVSS 6.5fixed in roundcube 1.1.2+dfsg.1-1 (bookworm)2015
CVE-2015-8794 [MEDIUM] CVE-2015-8794: roundcube - Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in ... Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling. Scope: local bookworm: resolved (fixed in 1.1.2+dfsg.1-1) bullseye: resolved (fixed in 1.1.2+dfsg.1-1) f
debian
CVE-2026-35540P4MEDIUMCVSS 5.4fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35540 [MEDIUM] CVE-2026-35540: roundcube - An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient C... An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) f
debian
CVE-2019-15237P4LOWCVSS 7.4fixed in roundcube 1.5.0+dfsg.1-1 (bookworm)2019
CVE-2019-15237 [HIGH] CVE-2019-15237: roundcube - Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading t... Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. Scope: local bookworm: resolved (fixed in 1.5.0+dfsg.1-1) bullseye: open forky: resolved (fixed in 1.5.0+dfsg.1-1) sid: resolved (fixed in 1.5.0+dfsg.1-1) trixie: resolved (fixed in 1.5.0+dfsg.1-1)
debian
CVE-2014-9587P4MEDIUMCVSS 6.8fixed in roundcube 1.1.1+dfsg.1-2 (bookworm)2014
CVE-2014-9587 [MEDIUM] CVE-2014-9587: roundcube - Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail ... Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. Scope: local bookworm: resolved (fixed in 1.1.1+dfsg.1-2) bullseye: resolved (fixed in 1.1.1+df
debian
CVE-2008-5620P4LOWCVSS 7.8fixed in roundcube 0.1.1-10 (bookworm)2008
CVE-2008-5620 [HIGH] CVE-2008-5620: roundcube - RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cau... RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted size parameters that are used to create a large quota image. Scope: local bookworm: resolved (fixed in 0.1.1-10) bullseye: resolved (fixed in 0.1.1-10) forky: resolved (fixed in 0.1.1-10) sid: resolved (fixed in 0.1.1-10) trixie: re
debian
CVE-2026-35542P4MEDIUMCVSS 5.3fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35542 [MEDIUM] CVE-2026-35542: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+df
debian
Debian Roundcube vulnerabilities | cvebase