Roundcube Webmail vulnerabilities
88 known vulnerabilities affecting roundcube/webmail.
Total CVEs
88
CISA KEV
11
actively exploited
Public exploits
12
Exploited in wild
12
Severity breakdown
CRITICAL7HIGH20MEDIUM54LOW7
Vulnerabilities
Page 5 of 5
CVE-2012-6121P4MEDIUMCVSS 4.3≤ 0.8.4v0.1+23 more2013-02-24
CVE-2012-6121 [MEDIUM] CWE-79 CVE-2012-6121: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers t
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.
nvd
CVE-2009-0413P4MEDIUMCVSS 4.3v0.22009-02-03
CVE-2009-0413 [MEDIUM] CWE-79 CVE-2009-0413: Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remo
Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message.
nvd
CVE-2011-1491P4LOWCVSS 3.5≤ 0.5v0.1+9 more2011-04-08
CVE-2011-1491 [LOW] CWE-20 CVE-2011-1491: The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated
The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then compose an e-mail message, related to a "login CSRF" issue.
nvd
CVE-2015-8105P4LOWCVSS 3.5≤ 1.0.6v1.1.0+2 more2015-11-10
CVE-2015-8105 [LOW] CWE-79 CVE-2015-8105: Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.
nvd
CVE-2026-35538P4LOWCVSS 3.1fixed in 1.5.14≥ 1.6.0, < 1.6.142026-04-03
CVE-2026-35538 [LOW] CWE-88 CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH comma
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
nvd
CVE-2013-5646P4LOWCVSS 3.5v1.02013-08-29
CVE-2013-5646 [LOW] CWE-79 CVE-2013-5646: Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated us
Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.
nvd
CVE-2012-3507P4LOWCVSS 2.6≤ 0.7.3v0.1+18 more2012-08-25
CVE-2012-3507 [LOW] CWE-79 CVE-2012-3507: Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before
Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject.
nvd
CVE-2012-1253P4LOWCVSS 2.6≤ 0.6v0.1+14 more2012-06-04
CVE-2012-1253 [LOW] CWE-79 CVE-2012-1253: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment.
nvd
← Previous5 / 5