Roundcube Webmail vulnerabilities
88 known vulnerabilities affecting roundcube/webmail.
Total CVEs
88
CISA KEV
11
actively exploited
Public exploits
12
Exploited in wild
12
Severity breakdown
CRITICAL7HIGH20MEDIUM54LOW7
Vulnerabilities
Page 2 of 5
CVE-2016-9920P3HIGHCVSS 7.5≤ 1.1.6v1.2.0+2 more2016-12-08
CVE-2016-9920 [HIGH] CWE-284 CVE-2016-9920: steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is con
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a craf
nvd
CVE-2018-19206P3MEDIUMCVSS 6.1fixed in 1.3.82018-11-12
CVE-2018-19206 [MEDIUM] CWE-79 CVE-2018-19206: steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrat
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
nvd
CVE-2026-35537P3HIGHCVSS 7.5fixed in 1.5.14≥ 1.6.0, < 1.6.142026-04-03
CVE-2026-35537 [HIGH] CWE-502 CVE-2026-35537: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
nvd
CVE-2026-48844P3HIGHCVSS 7.5≥ 1.6.0, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48844 [HIGH] CWE-670 CVE-2026-48844: Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in L
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
cvelistv5nvd
CVE-2026-35545P3HIGHCVSS 8.2fixed in 1.5.15≥ 1.6.0, < 1.6.152026-04-03
CVE-2026-35545 [HIGH] CWE-669 CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking fea
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
nvd
CVE-2018-9846P3HIGHCVSS 8.8≥ 1.2.0, ≤ 1.3.52018-04-07
CVE-2018-9846 [HIGH] CWE-20 CVE-2018-9846: In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's poss
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less
nvd
CVE-2013-6172P3HIGHCVSS 7.5≤ 0.8.6v0.1+31 more2013-11-05
CVE-2013-6172 [HIGH] CWE-89 CVE-2013-6172: steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote att
steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.
nvd
CVE-2012-3508P4MEDIUMCVSS 4.3PoCv0.8.02012-08-25
CVE-2012-3508 [MEDIUM] CWE-79 CVE-2012-3508: Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allow
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email.
nvd
CVE-2012-4668P4MEDIUMCVSS 4.3PoC≤ 0.8.1v0.1+20 more2012-08-25
CVE-2012-4668 [MEDIUM] CWE-79 CVE-2012-4668: Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attack
Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email.
nvd
CVE-2025-68460P3HIGHCVSS 7.5fixed in 1.5.12≥ 1.6.0, < 1.6.122025-12-18
CVE-2025-68460 [HIGH] CWE-116 CVE-2025-68460: Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerabi
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
nvd
CVE-2016-4069P3HIGHCVSS 8.8≤ 1.1.42016-08-25
CVE-2016-4069 [HIGH] CWE-352 CVE-2016-4069: Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote atta
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
nvd
CVE-2026-48848P3HIGHCVSS 7.2≥ 1.6.0, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48848 [HIGH] CWE-79 CVE-2026-48848: Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that c
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
cvelistv5nvd
CVE-2015-5383P3HIGHCVSS 7.5v1.12017-05-23
CVE-2015-5383 [HIGH] CWE-200 CVE-2015-5383: Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by read
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.
nvd
CVE-2007-6321P4MEDIUMCVSS 4.3PoC≤ 0.12007-12-12
CVE-2007-6321 [MEDIUM] CWE-79 CVE-2007-6321: Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versio
Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via style sheets containing expression commands.
nvd
CVE-2018-1000071P3HIGHCVSS 7.5≤ 1.3.42018-03-13
CVE-2018-1000071 [HIGH] CWE-732 CVE-2018-1000071: roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.
nvd
CVE-2026-48843P3MEDIUMCVSS 6.5≥ 1.6.14, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48843 [MEDIUM] CWE-918 CVE-2026-48843: Roundcube Webmail 1
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.
cvelistv5
CVE-2024-57004P4MEDIUMCVSS 6.1v1.6.92025-02-03
CVE-2024-57004 [MEDIUM] CWE-80 CVE-2024-57004: Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated user
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
nvd
CVE-2018-19205P3HIGHCVSS 7.5fixed in 1.3.72018-11-12
CVE-2018-19205 [HIGH] CVE-2018-19205: Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php.
nvd
CVE-2015-5382P3MEDIUMCVSS 6.5v1.12017-05-23
CVE-2015-5382 [MEDIUM] CWE-200 CVE-2015-5382: program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
nvd
CVE-2026-48846P3MEDIUMCVSS 6.5≥ 1.6.0, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48846 [MEDIUM] CWE-669 CVE-2026-48846: In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature c
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
cvelistv5nvd