cbcvebase.

Roundcube Webmail vulnerabilities

88 known vulnerabilities affecting roundcube/webmail.

Total CVEs
88
CISA KEV
11
actively exploited
Public exploits
12
Exploited in wild
12
Severity breakdown
CRITICAL7HIGH20MEDIUM54LOW7

Vulnerabilities

Page 3 of 5
CVE-2026-48845P3MEDIUMCVSS 6.5≥ 1.6.14, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48845 [MEDIUM] CWE-669 CVE-2026-48845: In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking w In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
cvelistv5nvd
CVE-2026-35540P4MEDIUMCVSS 6.5≥ 1.6.0, < 1.6.14≥ 1.6.14, < 1.6.16+1 more2026-04-03
CVE-2026-35540 [MEDIUM] CWE-669 CVE-2026-35540: An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheet An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
nvd
CVE-2019-15237P4HIGHCVSS 7.4≤ 1.3.92019-08-20
CVE-2019-15237 [HIGH] CVE-2019-15237: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
nvd
CVE-2014-9587P4MEDIUMCVSS 6.8≤ 1.0.32015-01-15
CVE-2014-9587 [MEDIUM] CWE-352 CVE-2014-9587: Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow r Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins.
nvd
CVE-2008-5620P4HIGHCVSS 7.8≤ 0.2v0.1+2 more2008-12-17
CVE-2008-5620 [HIGH] CWE-399 CVE-2008-5620: RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of servi RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted size parameters that are used to create a large quota image.
nvd
CVE-2026-35542P4MEDIUMCVSS 5.3fixed in 1.5.14≥ 1.6.0, < 1.6.142026-04-03
CVE-2026-35542 [MEDIUM] CWE-669 CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking fea An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
nvd
CVE-2026-35543P4MEDIUMCVSS 5.3fixed in 1.5.14≥ 1.6.0, < 1.6.142026-04-03
CVE-2026-35543 [MEDIUM] CWE-669 CVE-2026-35543: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking fea An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
nvd
CVE-2020-12626P4MEDIUMCVSS 6.5fixed in 1.4.42020-05-04
CVE-2020-12626 [MEDIUM] CWE-352 CVE-2020-12626: An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
nvd
CVE-2011-1492P4MEDIUMCVSS 5.5≤ 0.5v0.1+9 more2011-04-08
CVE-2011-1492 [MEDIUM] CWE-20 CVE-2011-1492: steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.
nvd
CVE-2015-8864P4MEDIUMCVSS 6.1≤ 1.0.8v1.1+1 more2017-04-13
CVE-2015-8864 [MEDIUM] CWE-79 CVE-2015-8864: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 al Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
nvd
CVE-2020-16145P4MEDIUMCVSS 6.1fixed in 1.3.15≥ 1.4.0, < 1.4.82020-08-12
CVE-2020-16145 [MEDIUM] CWE-79 CVE-2020-16145: Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
nvd
CVE-2026-35539P4MEDIUMCVSS 6.1fixed in 1.5.14≥ 1.6.0, < 1.6.142026-04-03
CVE-2026-35539 [MEDIUM] CWE-79 CVE-2026-35539: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insuffi An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
nvd
CVE-2026-35544P4MEDIUMCVSS 5.3≤ 1.5.13≥ 1.6.0, ≤ 1.6.13+2 more2026-04-03
CVE-2026-35544 [MEDIUM] CWE-669 CVE-2026-35544: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
nvd
CVE-2026-26079P4MEDIUMCVSS 4.7fixed in 1.5.13≥ 1.6.0, < 1.6.132026-02-11
CVE-2026-26079 [MEDIUM] CWE-829 CVE-2026-26079: Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
nvd
CVE-2016-4068P4MEDIUMCVSS 6.1≤ 1.0.8v1.1+1 more2017-04-13
CVE-2016-4068 [MEDIUM] CVE-2016-4068: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 al Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
nvd
CVE-2020-15562P4MEDIUMCVSS 6.1fixed in 1.2.11≥ 1.3.0, < 1.3.14+1 more2020-07-06
CVE-2020-15562 [MEDIUM] CWE-79 CVE-2020-15562: An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1. An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
nvd
CVE-2024-37384P4MEDIUMCVSS 6.1fixed in 1.5.7≥ 1.6.0, < 1.6.72024-06-07
CVE-2024-37384 [MEDIUM] CWE-79 CVE-2024-37384: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferen Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
nvd
CVE-2009-4077P4MEDIUMCVSS 6.8≤ 0.2.2v0.1+3 more2009-11-25
CVE-2009-4077 [MEDIUM] CVE-2009-4077: Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076.
nvd
CVE-2023-47272P4MEDIUMCVSS 6.1≥ 1.5.0, < 1.5.6≥ 1.6.0, < 1.6.52023-11-06
CVE-2023-47272 [MEDIUM] CWE-79 CVE-2023-47272: Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposi Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
nvd
CVE-2009-4076P4MEDIUMCVSS 6.8≤ 0.2.2v0.1+3 more2009-11-25
CVE-2009-4076 [MEDIUM] CWE-352 CVE-2009-4076: Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077.
nvd