cbcvebase.

Debian Roundcube vulnerabilities

78 known vulnerabilities affecting debian/roundcube.

Total CVEs
78
CISA KEV
11
actively exploited
Public exploits
13
Exploited in wild
12
Severity breakdown
CRITICAL4HIGH14MEDIUM46LOW14

Vulnerabilities

Page 4 of 4
CVE-2021-26925P4MEDIUMCVSS 5.4fixed in roundcube 1.4.11+dfsg.1-1 (bookworm)2021
CVE-2021-26925 [MEDIUM] CVE-2021-26925: roundcube - Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) toke... Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. Scope: local bookworm: resolved (fixed in 1.4.11+dfsg.1-1) bullseye: resolved (fixed in 1.4.11+dfsg.1-1) forky: resolved (fixed in 1.4.11+dfsg.1-1) sid: resolved (fixed in 1.4.11+dfsg.1-1) trixie: resolved (fixed in 1.4.11+dfsg.1-1)
debian
CVE-2020-18670P4MEDIUMCVSS 5.4fixed in roundcube 1.4.5+dfsg.1-1 (bookworm)2020
CVE-2020-18670 [MEDIUM] CVE-2020-18670: roundcube - Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database ho... Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. Scope: local bookworm: resolved (fixed in 1.4.5+dfsg.1-1) bullseye: resolved (fixed in 1.4.5+dfsg.1-1) forky: resolved (fixed in 1.4.5+dfsg.1-1) sid: resolved (fixed in 1.4.5+dfsg.1-1) trixie: resolved (fixed in 1.4.5+dfsg.1-1)
debian
CVE-2016-4552P4MEDIUMCVSS 6.1fixed in roundcube 1.2.0+dfsg.1-1 (bookworm)2016
CVE-2016-4552 [MEDIUM] CVE-2016-4552: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allow... Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message. Scope: local bookworm: resolved (fixed in 1.2.0+dfsg.1-1) bullseye: resolved (fixed in 1.2.0+dfsg.1-1) forky: resolved (fixed in 1.2.0+dfsg.1-1) sid: resolved (fixed in
debian
CVE-2017-6820P4MEDIUMCVSS 6.1fixed in roundcube 1.2.3+dfsg.1-3 (bookworm)2017
CVE-2017-6820 [MEDIUM] CVE-2017-6820: roundcube - rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible ... rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. Scope: local bookworm: resolved (fixed in 1.2.3+dfsg.1-3) bullseye: resolved (fixed in 1.2.3+dfsg.1-3) forky: resolved (fixed in 1.2.3+dfsg.1-3) sid: resolved (fixed
debian
CVE-2010-0464P4MEDIUMCVSS 5.0fixed in roundcube 0.3.1-3 (bookworm)2010
CVE-2010-0464 [MEDIUM] CVE-2010-0464: roundcube - Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS pref... Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. Scope: local bookworm: resolved (fixed in 0.3.1-3) bullseye: resolved (fixed in 0.3.1-3) forky: resolved (fixe
debian
CVE-2020-18671P4MEDIUMCVSS 5.4fixed in roundcube 1.4.5+dfsg.1-1 (bookworm)2020
CVE-2020-18671 [MEDIUM] CVE-2020-18671: roundcube - Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp conf... Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. Scope: local bookworm: resolved (fixed in 1.4.5+dfsg.1-1) bullseye: resolved (fixed in 1.4.5+dfsg.1-1) forky: resolved (fixed in 1.4.5+dfsg.1-1) sid: resolved (fixed in 1.4.5+dfsg.1-1) trixie: resolved (fixed in 1.4.5+dfsg.1-1)
debian
CVE-2015-8793P4MEDIUMCVSS 4.3fixed in roundcube 1.1.2+dfsg.1-1 (bookworm)2015
CVE-2015-8793 [MEDIUM] CVE-2015-8793: roundcube - Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundc... Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. Scope: local bookworm: resolved (fixed in 1.1.2+dfsg.1-1) bullseye: resolved (
debian
CVE-2026-35541P4MEDIUMCVSS 4.2fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35541 [MEDIUM] CVE-2026-35541: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) forky: resolved (fixed in 1.6
debian
CVE-2026-25916P4MEDIUMCVSS 4.3fixed in roundcube 1.6.5+dfsg-1+deb12u7 (bookworm)2026
CVE-2026-25916 [MEDIUM] CVE-2026-25916: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images... Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u7) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u7) forky: resolved (fixed in 1.6.13+dfsg-1) sid: resolved (fixed in 1.6.13+dfsg-1) trixie: resolved (fixed in 1.6.13+dfsg-0+deb13u
debian
CVE-2015-1433P4LOWCVSS 4.3fixed in roundcube 0.9.5+dfsg1-4.2 (bookworm)2015
CVE-2015-1433 [MEDIUM] CVE-2015-1433: roundcube - program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not prope... program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. Scope: local bookworm: resolved (fixed in 0.9.5+dfsg1-4.2) bullseye: resolved (fixed in 0.9.5+dfsg1-4.2) forky: resolved (fixed in 0.9.5+dfsg1-4.2) sid: r
debian
CVE-2013-5645P4MEDIUMCVSS 4.3fixed in roundcube 0.9.4-1 (bookworm)2013
CVE-2013-5645 [MEDIUM] CVE-2013-5645: roundcube - Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before ... Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related
debian
CVE-2019-10740P4MEDIUMCVSS 4.3fixed in roundcube 1.3.10+dfsg.1-1 (bookworm)2019
CVE-2019-10740 [MEDIUM] CVE-2019-10740: roundcube - In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP e... In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this
debian
CVE-2011-2937P4LOWCVSS 4.3fixed in roundcube 0.5.4+dfsg-1 (bookworm)2011
CVE-2011-2937 [MEDIUM] CVE-2011-2937: roundcube - Cross-site scripting (XSS) vulnerability in the UI messages functionality in Rou... Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. Scope: local bookworm: resolved (fixed in 0.5.4+dfsg-1) bullseye: resolved (fixed in 0.5.4+dfsg-1) forky: resolved (fixed in 0.5.4+dfsg-1) sid: resolve
debian
CVE-2009-0413P4LOWCVSS 4.3fixed in roundcube 0.2~stable-1 (bookworm)2009
CVE-2009-0413 [MEDIUM] CVE-2009-0413: roundcube - Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.... Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message. Scope: local bookworm: resolved (fixed in 0.2~stable-1) bullseye: resolved (fixed in 0.2~stable-1) forky: resolved (fixed in 0.2~stable-1) sid: resol
debian
CVE-2011-1491P4LOWCVSS 3.5fixed in roundcube 0.5.1-1 (bookworm)2011
CVE-2011-1491 [LOW] CVE-2011-1491: roundcube - The login form in Roundcube Webmail before 0.5.1 does not properly handle a corr... The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then compose an e-mail message, related to a "login CSRF" issue. Scope: local bookworm: r
debian
CVE-2015-8105P4LOWCVSS 3.5fixed in roundcube 1.1.3+dfsg.1-1 (bookworm)2015
CVE-2015-8105 [LOW] CVE-2015-8105: roundcube - Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webma... Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. Scope: local bookworm: resolved (fixed in 1.1.3+dfsg.1-1) bullseye: resolved (fixed in 1.1.3+dfsg.1-1) forky: resolved (fixed in
debian
CVE-2026-35538P4LOWCVSS 3.1fixed in roundcube 1.6.5+dfsg-1+deb12u8 (bookworm)2026
CVE-2026-35538 [LOW] CVE-2026-35538: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitiz... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) forky: resolved (fixed in 1.6.14+dfsg-1) sid: resolved (fixed in 1.6.14+
debian
CVE-2012-1253P4LOWCVSS 2.6fixed in roundcube 0.7-1 (bookworm)2012
CVE-2012-1253 [LOW] CVE-2012-1253: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when I... Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment. Scope: local bookworm: resolved (fixed in 0.7-1) bullseye: resolved (fixed in 0.7-1) forky: resolved (fixed in 0.7-1) sid: resolved (fixed in 0.7-1)
debian
Debian Roundcube vulnerabilities | cvebase