Roundcube Webmail vulnerabilities
88 known vulnerabilities affecting roundcube/webmail.
Total CVEs
88
CISA KEV
11
actively exploited
Public exploits
12
Exploited in wild
12
Severity breakdown
CRITICAL7HIGH20MEDIUM54LOW7
Vulnerabilities
Page 1 of 5
CVE-2025-49113P1HIGHCVSS 8.8KEVPoCfixed in 1.5.10≥ 1.6.0, < 1.6.112025-06-02
CVE-2025-49113 [HIGH] CWE-502 CVE-2025-49113: Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticate
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
nvd
CVE-2020-12641P1CRITICALCVSS 9.8KEVPoC≥ 1.2.0, < 1.2.10≥ 1.3.0, < 1.3.11+1 more2020-05-04
CVE-2020-12641 [CRITICAL] CWE-78 CVE-2020-12641: rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via she
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
nvd
CVE-2024-42009P1CRITICALCVSS 9.3KEVPoCfixed in 1.5.8≥ 1.6.0, < 1.6.82024-08-05
CVE-2024-42009 [CRITICAL] CWE-79 CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a rem
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
nvd
CVE-2021-44026P1CRITICALCVSS 9.8KEVPoCfixed in 1.3.17≥ 1.4.0, < 1.4.122021-11-19
CVE-2021-44026 [CRITICAL] CWE-89 CVE-2021-44026: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
nvd
CVE-2024-37383P1MEDIUMCVSS 6.1KEVPoCfixed in 1.5.7≥ 1.6.0, < 1.6.72024-06-07
CVE-2024-37383 [MEDIUM] CWE-79 CVE-2024-37383: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
nvd
CVE-2017-16651P1HIGHCVSS 7.8KEVPoC≤ 1.1.9v1.2.0+9 more2017-11-09
CVE-2017-16651 [HIGH] CWE-552 CVE-2017-16651: Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized acce
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active sess
nvd
CVE-2023-43770P1MEDIUMCVSS 6.1KEVPoCfixed in 1.4.14≥ 1.5.0, < 1.5.4+1 more2023-09-22
CVE-2023-43770 [MEDIUM] CWE-79 CVE-2023-43770: Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
nvd
CVE-2020-35730P1MEDIUMCVSS 6.1KEVPoCfixed in 1.2.13≥ 1.3.0, < 1.3.16+1 more2020-12-28
CVE-2020-35730 [MEDIUM] CWE-79 CVE-2020-35730: An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x befor
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
nvd
CVE-2020-13965P1MEDIUMCVSS 6.1KEVfixed in 1.3.12≥ 1.4.0, < 1.4.52020-06-09
CVE-2020-13965 [MEDIUM] CWE-79 CVE-2020-13965: An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
nvd
CVE-2023-5631P1MEDIUMCVSS 5.4KEVfixed in 1.4.15≥ 1.5.0, < 1.5.5+1 more2023-10-18
CVE-2023-5631 [MEDIUM] CWE-79 CVE-2023-5631: Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
to load arbitrary JavaScript code.
nvd
CVE-2025-68461P2MEDIUMCVSS 6.1KEVfixed in 1.5.12≥ 1.6.0, < 1.6.122025-12-18
CVE-2025-68461 [MEDIUM] CWE-79 CVE-2025-68461: Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulne
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
nvd
CVE-2013-1904P2MEDIUMCVSS 5.0Exploited≤ 0.7.2v0.1+23 more2014-02-08
CVE-2013-1904 [MEDIUM] CWE-22 CVE-2013-1904: Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 a
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
nvd
CVE-2008-5619P2CRITICALCVSS 10.0PoCv0.2.1v0.2.32008-12-17
CVE-2008-5619 [CRITICAL] CWE-94 CVE-2008-5619: html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Web
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
nvd
CVE-2015-2180P2HIGHCVSS 8.8≤ 1.12017-01-30
CVE-2015-2180 [HIGH] CWE-74 CVE-2015-2180: The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execut
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
nvd
CVE-2024-42008P3CRITICALCVSS 9.3fixed in 1.5.8≥ 1.6.0, < 1.6.82024-08-05
CVE-2024-42008 [CRITICAL] CWE-79 CVE-2024-42008: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
nvd
CVE-2020-12640P3CRITICALCVSS 9.8≥ 1.2.0, < 1.2.10≥ 1.3.0, < 1.3.11+1 more2020-05-04
CVE-2020-12640 [CRITICAL] CWE-22 CVE-2020-12640: Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via director
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
nvd
CVE-2024-37385P3CRITICALCVSS 9.8fixed in 1.5.7≥ 1.6.0, < 1.6.72024-06-07
CVE-2024-37385 [CRITICAL] CVE-2024-37385: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_con
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
nvd
CVE-2015-2181P3HIGHCVSS 8.8fixed in 1.1.02017-01-30
CVE-2015-2181 [HIGH] CWE-119 CVE-2015-2181: Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allo
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.
nvd
CVE-2017-8114P3HIGHCVSS 8.8fixed in 1.0.11≥ 1.1.0, < 1.1.9+1 more2017-04-29
CVE-2017-8114 [HIGH] CWE-269 CVE-2017-8114: Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions bef
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
nvd
CVE-2026-48842P3HIGHCVSS 8.1≥ 1.6.0, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48842 [HIGH] CWE-89 CVE-2026-48842: Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
cvelistv5nvd
1 / 5Next →