Roundcube Webmail vulnerabilities

CVE-2026-35545 [HIGH] CWE-669 CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking fea An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

CVE-2026-35537 [HIGH] CWE-502 CVE-2026-35537: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

CVE-2026-35541 [MEDIUM] CWE-843 CVE-2026-35541: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

CVE-2026-35544 [MEDIUM] CWE-669 CVE-2026-35544: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

CVE-2026-35542 [MEDIUM] CWE-669 CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking fea An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

CVE-2026-35540 [MEDIUM] CWE-669 CVE-2026-35540: An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheet An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

CVE-2026-35543 [MEDIUM] CWE-669 CVE-2026-35543: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking fea An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

CVE-2026-35539 [MEDIUM] CWE-79 CVE-2026-35539: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insuffi An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

CVE-2026-35538 [LOW] CWE-88 CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH comma An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

CVE-2026-26079 [MEDIUM] CWE-829 CVE-2026-26079: Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

CVE-2026-25916 [MEDIUM] CWE-420 CVE-2026-25916: Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

CVE-2025-68460 [HIGH] CWE-116 CVE-2025-68460: Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerabi Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.

CVE-2025-68461 [MEDIUM] CWE-79 CVE-2025-68461: Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulne Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

CVE-2025-49113 [HIGH] CWE-502 CVE-2025-49113: Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticate Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVE-2024-57004 [MEDIUM] CWE-80 CVE-2024-57004: Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated user Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.

CVE-2024-42008 [CRITICAL] CWE-79 CVE-2024-42008: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

CVE-2024-42009 [CRITICAL] CWE-79 CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a rem A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

CVE-2024-37385 [CRITICAL] CVE-2024-37385: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_con Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.

CVE-2024-37383 [MEDIUM] CWE-79 CVE-2024-37383: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

CVE-2024-37384 [MEDIUM] CWE-79 CVE-2024-37384: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferen Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.