Debian Roundcube vulnerabilities
78 known vulnerabilities affecting debian/roundcube.
Total CVEs
78
CISA KEV
11
actively exploited
Public exploits
13
Exploited in wild
12
Severity breakdown
CRITICAL4HIGH14MEDIUM46LOW14
Vulnerabilities
Page 3 of 4
CVE-2026-35543P4MEDIUMCVSS 5.3fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35543 [MEDIUM] CVE-2026-35543: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot...
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb1
debian
CVE-2020-12626P4MEDIUMCVSS 6.5fixed in roundcube 1.4.4+dfsg.1-1 (bookworm)2020
CVE-2020-12626 [MEDIUM] CVE-2020-12626: roundcube - An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cau...
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
Scope: local
bookworm: resolved (fixed in 1.4.4+dfsg.1-1)
bullseye: resolved (fixed in 1.4.4+dfsg.1-1)
forky: resolved (fixed in 1.4.4+dfsg.1-1)
sid: resolved (fixed in 1.4.4+dfsg.1-1)
trixie: resolved (fixed
debian
CVE-2011-1492P4MEDIUMCVSS 5.5fixed in roundcube 0.5.1-1 (bookworm)2011
CVE-2011-1492 [MEDIUM] CVE-2011-1492: roundcube - steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verif...
steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.
Scope: local
bookwor
debian
CVE-2015-8864P4MEDIUMCVSS 6.1fixed in roundcube 1.1.5+dfsg.1-1 (bookworm)2015
CVE-2015-8864 [MEDIUM] CVE-2015-8864: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1...
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
Scope: local
bookworm: resolved (fixed in 1.1.5+dfsg.1-1)
bullseye: resolved (fixed in 1.1.5+dfsg.1-1)
forky: resolved (fixed in 1.1.5+dfsg.
debian
CVE-2020-16145P4MEDIUMCVSS 6.1fixed in roundcube 1.4.8+dfsg.1-1 (bookworm)2020
CVE-2020-16145 [MEDIUM] CVE-2020-16145: roundcube - Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages dur...
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
Scope: local
bookworm: resolved (fixed in 1.4.8+dfsg.1-1)
bullseye: resolved (fixed in 1.4.8+dfsg.1-1)
forky: resolved (fixed in 1.4.8+dfsg.1-1)
sid: resolved (fixed in 1.4.8+dfsg.1-1)
trix
debian
CVE-2026-35539P4MEDIUMCVSS 6.1fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35539 [MEDIUM] CVE-2026-35539: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exist...
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8)
forky: resolved (fixed in 1.6.14+dfsg-1)
sid: re
debian
CVE-2026-35544P4MEDIUMCVSS 5.3fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35544 [MEDIUM] CVE-2026-35544: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insuffici...
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8)
forky: resolved (fixed
debian
CVE-2026-26079P4MEDIUMCVSS 4.7fixed in roundcube 1.6.5+dfsg-1+deb12u7 (bookworm)2026
CVE-2026-26079 [MEDIUM] CVE-2026-26079: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style She...
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u7)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u7)
forky: resolved (fixed in 1.6.13+dfsg-1)
sid: resolved (fixed in 1.6.13+dfsg-1)
trixie: resolved (fixed in
debian
CVE-2016-4068P4MEDIUMCVSS 6.1fixed in roundcube 1.2.1+dfsg.1-1 (bookworm)2016
CVE-2016-4068 [MEDIUM] CVE-2016-4068: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1...
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
Scope: local
bookworm: resolved (fixed in 1.2.1+dfsg.1-1)
bullseye: resolved (fixed in 1.2.1+dfsg.1-1)
forky: resolved (fixed in 1.2.1+dfsg.
debian
CVE-2020-15562P4MEDIUMCVSS 6.1fixed in roundcube 1.4.7+dfsg.1-1 (bookworm)2020
CVE-2020-15562 [MEDIUM] CVE-2020-15562: roundcube - An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14,...
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
Scope: local
bookworm: resolved (fixed in 1.4.7+dfsg.1-1)
bullseye: resolved (fix
debian
CVE-2024-37384P4MEDIUMCVSS 6.1fixed in roundcube 1.6.5+dfsg-1+deb12u2 (bookworm)2024
CVE-2024-37384 [MEDIUM] CVE-2024-37384: roundcube - Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list column...
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u2)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u3)
forky: resolved (fixed in 1.6.7+dfsg-1)
sid: resolved (fixed in 1.6.7+dfsg-1)
trixie: resolved (fixed in 1.6.7+dfsg-1)
debian
CVE-2009-4077P4MEDIUMCVSS 6.8fixed in roundcube 0.3-1 (bookworm)2009
CVE-2009-4077 [MEDIUM] CVE-2009-4077: roundcube - Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and e...
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076.
Scope: local
bookworm: resolved (fixed in 0.3-1)
bullseye: resolved (fixed in 0.3-1)
forky: re
debian
CVE-2023-47272P4MEDIUMCVSS 6.1fixed in roundcube 1.6.5+dfsg-1~deb12u1 (bookworm)2023
CVE-2023-47272 [MEDIUM] CVE-2023-47272: roundcube - Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Typ...
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1~deb12u1)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1~deb11u2)
forky: resolved (fixed in 1.6.5+dfsg-1)
sid: resolved (fixed in 1.6.5+dfsg-1)
trixie: resol
debian
CVE-2011-4078P4HIGHCVSS 7.5fixed in roundcube 0.6+dfsg-1 (bookworm)2011
CVE-2011-4078 [HIGH] CVE-2011-4078: roundcube - include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3...
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.
Scope: local
bookworm: resolved (fixed in 0.6+dfsg-1)
bu
debian
CVE-2009-4076P4MEDIUMCVSS 6.8fixed in roundcube 0.3-1 (bookworm)2009
CVE-2009-4076 [MEDIUM] CVE-2009-4076: roundcube - Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and e...
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077.
Scope: local
bookworm: resolved (fixed in 0.3-1)
bullseye: resolved (fixed in 0.3-1)
forky:
debian
CVE-2020-12625P4MEDIUMCVSS 6.1fixed in roundcube 1.4.4+dfsg.1-1 (bookworm)2020
CVE-2020-12625 [MEDIUM] CVE-2020-12625: roundcube - An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site...
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
Scope: local
bookworm: resolved (fixed in 1.4.4+dfsg.1-1)
bullseye: resolved (fixed in 1.4.4+dfsg.1-1)
forky: resolved (fixed in 1.4.4+dfsg.1-1)
sid: resolved (fixed
debian
CVE-2015-5381P4MEDIUMCVSS 6.1fixed in roundcube 1.1.2+dfsg.1-1 (bookworm)2015
CVE-2015-5381 [MEDIUM] CVE-2015-5381: roundcube - Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundc...
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
Scope: local
bookworm: resolved (fixed in 1.1.2+dfsg.1-1)
bullseye: resolved (fixed in 1.1.2+dfsg.1-1)
forky: resolved (fixed in 1.1.2+dfsg.1-1)
sid
debian
CVE-2021-44025P4MEDIUMCVSS 6.1fixed in roundcube 1.5.0+dfsg.1-1 (bookworm)2021
CVE-2021-44025 [MEDIUM] CVE-2021-44025: roundcube - Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an a...
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
Scope: local
bookworm: resolved (fixed in 1.5.0+dfsg.1-1)
bullseye: resolved (fixed in 1.4.12+dfsg.1-1~deb11u1)
forky: resolved (fixed in 1.5.0+dfsg.1-1)
sid: resolved (fixed in 1.5.0+dfsg.1-1)
trixie: resolv
debian
CVE-2021-46144P4MEDIUMCVSS 6.1fixed in roundcube 1.6.0+dfsg-1 (bookworm)2021
CVE-2021-46144 [MEDIUM] CVE-2021-46144: roundcube - Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail mes...
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.
Scope: local
bookworm: resolved (fixed in 1.6.0+dfsg-1)
bullseye: resolved (fixed in 1.4.13+dfsg.1-1~deb11u1)
forky: resolved (fixed in 1.6.0+dfsg-1)
sid: resolved (fixed in 1.6.0+dfsg-1)
trixie: resolved (fixed in 1.6.0
debian
CVE-2020-13964P4MEDIUMCVSS 6.1fixed in roundcube 1.4.5+dfsg.1-1 (bookworm)2020
CVE-2020-13964 [MEDIUM] CVE-2020-13964: roundcube - An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4....
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
Scope: local
bookworm: resolved (fixed in 1.4.5+dfsg.1-1)
bullseye: resolved (fixed in 1.4.5+dfsg.1-1)
forky: resolved (fixed in 1.4.5+dfsg.1-1)
sid: resolved (fixed in 1.4.5+dfsg.1-1)
trixie: resolved (fi
debian