cbcvebase.

Roundcube Webmail vulnerabilities

88 known vulnerabilities affecting roundcube/webmail.

Total CVEs
88
CISA KEV
11
actively exploited
Public exploits
12
Exploited in wild
12
Severity breakdown
CRITICAL7HIGH20MEDIUM54LOW7

Vulnerabilities

Page 5 of 5
CVE-2012-6121P4MEDIUMCVSS 4.3≤ 0.8.4v0.1+23 more2013-02-24
CVE-2012-6121 [MEDIUM] CWE-79 CVE-2012-6121: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers t Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.
nvd
CVE-2009-0413P4MEDIUMCVSS 4.3v0.22009-02-03
CVE-2009-0413 [MEDIUM] CWE-79 CVE-2009-0413: Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remo Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message.
nvd
CVE-2011-1491P4LOWCVSS 3.5≤ 0.5v0.1+9 more2011-04-08
CVE-2011-1491 [LOW] CWE-20 CVE-2011-1491: The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then compose an e-mail message, related to a "login CSRF" issue.
nvd
CVE-2015-8105P4LOWCVSS 3.5≤ 1.0.6v1.1.0+2 more2015-11-10
CVE-2015-8105 [LOW] CWE-79 CVE-2015-8105: Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.
nvd
CVE-2026-35538P4LOWCVSS 3.1fixed in 1.5.14≥ 1.6.0, < 1.6.142026-04-03
CVE-2026-35538 [LOW] CWE-88 CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH comma An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
nvd
CVE-2013-5646P4LOWCVSS 3.5v1.02013-08-29
CVE-2013-5646 [LOW] CWE-79 CVE-2013-5646: Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated us Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.
nvd
CVE-2012-3507P4LOWCVSS 2.6≤ 0.7.3v0.1+18 more2012-08-25
CVE-2012-3507 [LOW] CWE-79 CVE-2012-3507: Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject.
nvd
CVE-2012-1253P4LOWCVSS 2.6≤ 0.6v0.1+14 more2012-06-04
CVE-2012-1253 [LOW] CWE-79 CVE-2012-1253: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment.
nvd
Roundcube Webmail vulnerabilities | cvebase