Roundcube Roundcubemail vulnerabilities

CVE-2026-35540 [MEDIUM] CWE-669 Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

CVE-2026-35539 [MEDIUM] CWE-79 Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

CVE-2026-35544 [MEDIUM] CWE-669 Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

CVE-2026-35545 [MEDIUM] CWE-669 Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with

CVE-2026-35543 [MEDIUM] CWE-669 Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-cont

CVE-2026-35542 [MEDIUM] CWE-669 Roundcube: Bypass of remote image blocking via crafted BODY background attribute Roundcube: Bypass of remote image blocking via crafted BODY background attribute An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

CVE-2026-35541 [MEDIUM] CWE-843 Roundcube Webmail: Incorrect password comparison in the password plugin Roundcube Webmail: Incorrect password comparison in the password plugin An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

CVE-2026-35537 [LOW] CWE-502 Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

CVE-2026-35538 [LOW] CWE-88 Roundcube Webmail: Unsanitized IMAP SEARCH command arguments Roundcube Webmail: Unsanitized IMAP SEARCH command arguments An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

CVE-2025-49113 [CRITICAL] CWE-502 Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVE-2023-5631 [MEDIUM] CWE-79 CVE-2023-5631: Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e- Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.