Search

Find a vulnerability

Search criteria

    217 vulnerabilities by Roundcube

    CVE-2026-54433 (GCVE-0-2026-54433)

    Vulnerability from nvd – Published: 2026-07-14 16:18 – Updated: 2026-07-14 16:18
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim's authenticated session simply by opening or previewing the message (zero-click).
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim\u0027s authenticated session simply by opening or previewing the message (zero-click)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T16:18:16.549Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-54433",
        "datePublished": "2026-07-14T16:18:16.549Z",
        "dateReserved": "2026-06-15T13:29:12.505Z",
        "dateUpdated": "2026-07-14T16:18:16.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54432 (GCVE-0-2026-54432)

    Vulnerability from nvd – Published: 2026-07-14 16:21 – Updated: 2026-07-14 16:21
    VLAI
    Summary
    Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T16:21:55.409Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-54432",
        "datePublished": "2026-07-14T16:21:55.409Z",
        "dateReserved": "2026-06-15T13:27:41.810Z",
        "dateUpdated": "2026-07-14T16:21:55.409Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62644 (GCVE-0-2026-62644)

    Vulnerability from nvd – Published: 2026-07-14 15:55 – Updated: 2026-07-14 17:15
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62644",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:13:58.999753Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:15:20.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:55:22.925Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/7414fef51cd2407d39faab99680763f10ed5231d"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/9a96c20d8c7c9135876b68bebd6960af3ee60923"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62644",
        "datePublished": "2026-07-14T15:55:22.925Z",
        "dateReserved": "2026-07-14T15:55:22.524Z",
        "dateUpdated": "2026-07-14T17:15:20.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62643 (GCVE-0-2026-62643)

    Vulnerability from nvd – Published: 2026-07-14 15:51 – Updated: 2026-07-14 17:17
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. NOTE: this issue exists because of insufficient fixes for CVE-2026-35540 and CVE-2026-48843.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62643",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:16:46.129338Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:17:16.894Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. NOTE: this issue exists because of insufficient fixes for CVE-2026-35540 and CVE-2026-48843."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:51:46.996Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/6d69e094d55d3a9a84dfb36edf6ca985311f0c1c"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040cef8607b677d459e0786"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62643",
        "datePublished": "2026-07-14T15:51:46.996Z",
        "dateReserved": "2026-07-14T15:51:46.593Z",
        "dateUpdated": "2026-07-14T17:17:16.894Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62642 (GCVE-0-2026-62642)

    Vulnerability from nvd – Published: 2026-07-14 15:49 – Updated: 2026-07-14 17:18
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62642",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:17:53.646785Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:18:18.192Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:49:17.798Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/877269c79359d959a94f13c9070cab0f3389c193"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/fb952956c6eaf29e963f1a718d028d66e7957ce0"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62642",
        "datePublished": "2026-07-14T15:49:17.798Z",
        "dateReserved": "2026-07-14T15:49:17.389Z",
        "dateUpdated": "2026-07-14T17:18:18.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62641 (GCVE-0-2026-62641)

    Vulnerability from nvd – Published: 2026-07-14 15:46 – Updated: 2026-07-14 17:27
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the TNEF decoder was subject to denial of service via a crafted compressed-RTF size.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62641",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:23:21.954751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:27:50.013Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the TNEF decoder was subject to denial of service via a crafted compressed-RTF size."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:46:29.138Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/6d1004fd3764a9606c53130b322c0f295c38be64"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda511b8464fe9cb34b522c1"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62641",
        "datePublished": "2026-07-14T15:46:29.138Z",
        "dateReserved": "2026-07-14T15:46:28.729Z",
        "dateUpdated": "2026-07-14T17:27:50.013Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9818 (GCVE-0-2026-9818)

    Vulnerability from nvd – Published: 2026-05-28 12:16 – Updated: 2026-05-28 16:35
    VLAI

    This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-05-28T16:35:38.661Z",
            "orgId": "6064c9f1-42e5-4cc5-a67a-1636d7a9d3fd",
            "shortName": "OCD"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
                }
              ],
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6064c9f1-42e5-4cc5-a67a-1636d7a9d3fd",
        "assignerShortName": "OCD",
        "cveId": "CVE-2026-9818",
        "datePublished": "2026-05-28T12:16:05.464Z",
        "dateRejected": "2026-05-28T16:35:38.661Z",
        "dateReserved": "2026-05-28T10:37:45.625Z",
        "dateUpdated": "2026-05-28T16:35:38.661Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48849 (GCVE-0-2026-48849)

    Vulnerability from nvd – Published: 2026-05-25 19:30 – Updated: 2026-05-26 13:01
    VLAI
    Summary
    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:01:01.120678Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:01:11.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:30:38.414Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/189d30a4890319cd687df959ca9f768a3a613d61"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48849",
        "datePublished": "2026-05-25T19:30:38.414Z",
        "dateReserved": "2026-05-25T19:30:37.961Z",
        "dateUpdated": "2026-05-26T13:01:11.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48848 (GCVE-0-2026-48848)

    Vulnerability from nvd – Published: 2026-05-25 19:27 – Updated: 2026-05-26 13:00
    VLAI
    Summary
    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48848",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:00:37.600791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:00:52.631Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:27:54.841Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48848",
        "datePublished": "2026-05-25T19:27:54.841Z",
        "dateReserved": "2026-05-25T19:27:54.328Z",
        "dateUpdated": "2026-05-26T13:00:52.631Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48847 (GCVE-0-2026-48847)

    Vulnerability from nvd – Published: 2026-05-25 19:23 – Updated: 2026-05-26 13:02
    VLAI
    Summary
    Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-669 - Incorrect Resource Transfer Between Spheres
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48847",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:02:06.964955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:02:10.123Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-669",
                  "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:23:40.853Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/a4eb375b98cc3d055de665c34efc729dd8ef272a"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48847",
        "datePublished": "2026-05-25T19:23:40.853Z",
        "dateReserved": "2026-05-25T19:23:40.394Z",
        "dateUpdated": "2026-05-26T13:02:10.123Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48846 (GCVE-0-2026-48846)

    Vulnerability from nvd – Published: 2026-05-25 19:21 – Updated: 2026-05-26 13:05
    VLAI
    Summary
    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-669 - Incorrect Resource Transfer Between Spheres
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:05:47.625139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:05:56.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-669",
                  "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:21:09.656Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/59cca80908a61e662c5f81741449e9aeb91e8abe"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48846",
        "datePublished": "2026-05-25T19:21:09.656Z",
        "dateReserved": "2026-05-25T19:21:09.220Z",
        "dateUpdated": "2026-05-26T13:05:56.818Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48845 (GCVE-0-2026-48845)

    Vulnerability from nvd – Published: 2026-05-25 19:18 – Updated: 2026-05-27 03:55
    VLAI
    Summary
    In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-669 - Incorrect Resource Transfer Between Spheres
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.14 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T03:55:26.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.14",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.14",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-669",
                  "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:18:09.549Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/d82b8c6cd06c378eca6d647ccd548f4ff1c68659"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48845",
        "datePublished": "2026-05-25T19:18:09.549Z",
        "dateReserved": "2026-05-25T19:18:09.073Z",
        "dateUpdated": "2026-05-27T03:55:26.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48844 (GCVE-0-2026-48844)

    Vulnerability from nvd – Published: 2026-05-25 19:14 – Updated: 2026-05-26 12:48
    VLAI
    Summary
    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-670 - Always-Incorrect Control Flow Implementation
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48844",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T12:47:59.328236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T12:48:17.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-670",
                  "description": "CWE-670 Always-Incorrect Control Flow Implementation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:14:48.753Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48844",
        "datePublished": "2026-05-25T19:14:48.753Z",
        "dateReserved": "2026-05-25T19:14:48.252Z",
        "dateUpdated": "2026-05-26T12:48:17.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48843 (GCVE-0-2026-48843)

    Vulnerability from nvd – Published: 2026-05-25 19:11 – Updated: 2026-05-26 12:50
    VLAI
    Summary
    Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.14 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48843",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T12:50:34.552140Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T12:50:42.557Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.14",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.14",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:32:10.818Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/ab96c88bfd888866ec5e02190b19618db283923a"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48843",
        "datePublished": "2026-05-25T19:11:04.351Z",
        "dateReserved": "2026-05-25T19:11:03.274Z",
        "dateUpdated": "2026-05-26T12:50:42.557Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48842 (GCVE-0-2026-48842)

    Vulnerability from nvd – Published: 2026-05-25 19:06 – Updated: 2026-06-03 21:03
    VLAI
    Summary
    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48842",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T12:58:31.395155Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T12:58:38.417Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-03T21:03:52.811Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/03/17"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:06:37.434Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/3406183a9976e36f992d3468f37d0e2346526ee9"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48842",
        "datePublished": "2026-05-25T19:06:37.434Z",
        "dateReserved": "2026-05-25T19:06:36.924Z",
        "dateUpdated": "2026-06-03T21:03:52.811Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54432 (GCVE-0-2026-54432)

    Vulnerability from cvelistv5 – Published: 2026-07-14 16:21 – Updated: 2026-07-14 16:21
    VLAI
    Summary
    Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T16:21:55.409Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-54432",
        "datePublished": "2026-07-14T16:21:55.409Z",
        "dateReserved": "2026-06-15T13:27:41.810Z",
        "dateUpdated": "2026-07-14T16:21:55.409Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54433 (GCVE-0-2026-54433)

    Vulnerability from cvelistv5 – Published: 2026-07-14 16:18 – Updated: 2026-07-14 16:18
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim's authenticated session simply by opening or previewing the message (zero-click).
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim\u0027s authenticated session simply by opening or previewing the message (zero-click)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T16:18:16.549Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-54433",
        "datePublished": "2026-07-14T16:18:16.549Z",
        "dateReserved": "2026-06-15T13:29:12.505Z",
        "dateUpdated": "2026-07-14T16:18:16.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62644 (GCVE-0-2026-62644)

    Vulnerability from cvelistv5 – Published: 2026-07-14 15:55 – Updated: 2026-07-14 17:15
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62644",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:13:58.999753Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:15:20.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:55:22.925Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/7414fef51cd2407d39faab99680763f10ed5231d"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/9a96c20d8c7c9135876b68bebd6960af3ee60923"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62644",
        "datePublished": "2026-07-14T15:55:22.925Z",
        "dateReserved": "2026-07-14T15:55:22.524Z",
        "dateUpdated": "2026-07-14T17:15:20.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62643 (GCVE-0-2026-62643)

    Vulnerability from cvelistv5 – Published: 2026-07-14 15:51 – Updated: 2026-07-14 17:17
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. NOTE: this issue exists because of insufficient fixes for CVE-2026-35540 and CVE-2026-48843.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62643",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:16:46.129338Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:17:16.894Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. NOTE: this issue exists because of insufficient fixes for CVE-2026-35540 and CVE-2026-48843."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:51:46.996Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/6d69e094d55d3a9a84dfb36edf6ca985311f0c1c"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040cef8607b677d459e0786"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62643",
        "datePublished": "2026-07-14T15:51:46.996Z",
        "dateReserved": "2026-07-14T15:51:46.593Z",
        "dateUpdated": "2026-07-14T17:17:16.894Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62642 (GCVE-0-2026-62642)

    Vulnerability from cvelistv5 – Published: 2026-07-14 15:49 – Updated: 2026-07-14 17:18
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62642",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:17:53.646785Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:18:18.192Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:49:17.798Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/877269c79359d959a94f13c9070cab0f3389c193"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/fb952956c6eaf29e963f1a718d028d66e7957ce0"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62642",
        "datePublished": "2026-07-14T15:49:17.798Z",
        "dateReserved": "2026-07-14T15:49:17.389Z",
        "dateUpdated": "2026-07-14T17:18:18.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62641 (GCVE-0-2026-62641)

    Vulnerability from cvelistv5 – Published: 2026-07-14 15:46 – Updated: 2026-07-14 17:27
    VLAI
    Summary
    In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the TNEF decoder was subject to denial of service via a crafted compressed-RTF size.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.17 (semver)
    Affected: 1.7.0 , < 1.7.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-62641",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T17:23:21.954751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T17:27:50.013Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.17",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.2",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.17",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.2",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the TNEF decoder was subject to denial of service via a crafted compressed-RTF size."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:46:29.138Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/6d1004fd3764a9606c53130b322c0f295c38be64"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda511b8464fe9cb34b522c1"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-62641",
        "datePublished": "2026-07-14T15:46:29.138Z",
        "dateReserved": "2026-07-14T15:46:28.729Z",
        "dateUpdated": "2026-07-14T17:27:50.013Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9818 (GCVE-0-2026-9818)

    Vulnerability from cvelistv5 – Published: 2026-05-28 12:16 – Updated: 2026-05-28 16:35
    VLAI

    This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-05-28T16:35:38.661Z",
            "orgId": "6064c9f1-42e5-4cc5-a67a-1636d7a9d3fd",
            "shortName": "OCD"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
                }
              ],
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6064c9f1-42e5-4cc5-a67a-1636d7a9d3fd",
        "assignerShortName": "OCD",
        "cveId": "CVE-2026-9818",
        "datePublished": "2026-05-28T12:16:05.464Z",
        "dateRejected": "2026-05-28T16:35:38.661Z",
        "dateReserved": "2026-05-28T10:37:45.625Z",
        "dateUpdated": "2026-05-28T16:35:38.661Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48849 (GCVE-0-2026-48849)

    Vulnerability from cvelistv5 – Published: 2026-05-25 19:30 – Updated: 2026-05-26 13:01
    VLAI
    Summary
    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:01:01.120678Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:01:11.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:30:38.414Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/189d30a4890319cd687df959ca9f768a3a613d61"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48849",
        "datePublished": "2026-05-25T19:30:38.414Z",
        "dateReserved": "2026-05-25T19:30:37.961Z",
        "dateUpdated": "2026-05-26T13:01:11.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48848 (GCVE-0-2026-48848)

    Vulnerability from cvelistv5 – Published: 2026-05-25 19:27 – Updated: 2026-05-26 13:00
    VLAI
    Summary
    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48848",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:00:37.600791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:00:52.631Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:27:54.841Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48848",
        "datePublished": "2026-05-25T19:27:54.841Z",
        "dateReserved": "2026-05-25T19:27:54.328Z",
        "dateUpdated": "2026-05-26T13:00:52.631Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48847 (GCVE-0-2026-48847)

    Vulnerability from cvelistv5 – Published: 2026-05-25 19:23 – Updated: 2026-05-26 13:02
    VLAI
    Summary
    Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-669 - Incorrect Resource Transfer Between Spheres
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48847",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:02:06.964955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:02:10.123Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-669",
                  "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:23:40.853Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/a4eb375b98cc3d055de665c34efc729dd8ef272a"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48847",
        "datePublished": "2026-05-25T19:23:40.853Z",
        "dateReserved": "2026-05-25T19:23:40.394Z",
        "dateUpdated": "2026-05-26T13:02:10.123Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48846 (GCVE-0-2026-48846)

    Vulnerability from cvelistv5 – Published: 2026-05-25 19:21 – Updated: 2026-05-26 13:05
    VLAI
    Summary
    In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-669 - Incorrect Resource Transfer Between Spheres
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:05:47.625139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:05:56.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-669",
                  "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:21:09.656Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/59cca80908a61e662c5f81741449e9aeb91e8abe"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48846",
        "datePublished": "2026-05-25T19:21:09.656Z",
        "dateReserved": "2026-05-25T19:21:09.220Z",
        "dateUpdated": "2026-05-26T13:05:56.818Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48845 (GCVE-0-2026-48845)

    Vulnerability from cvelistv5 – Published: 2026-05-25 19:18 – Updated: 2026-05-27 03:55
    VLAI
    Summary
    In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-669 - Incorrect Resource Transfer Between Spheres
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.14 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T03:55:26.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.14",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.14",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-669",
                  "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:18:09.549Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/d82b8c6cd06c378eca6d647ccd548f4ff1c68659"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48845",
        "datePublished": "2026-05-25T19:18:09.549Z",
        "dateReserved": "2026-05-25T19:18:09.073Z",
        "dateUpdated": "2026-05-27T03:55:26.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48844 (GCVE-0-2026-48844)

    Vulnerability from cvelistv5 – Published: 2026-05-25 19:14 – Updated: 2026-05-26 12:48
    VLAI
    Summary
    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-670 - Always-Incorrect Control Flow Implementation
    Assigner
    Impacted products
    Vendor Product Version
    Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48844",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T12:47:59.328236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T12:48:17.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Webmail",
              "vendor": "Roundcube",
              "versions": [
                {
                  "lessThan": "1.6.16",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.6.16",
                      "versionStartIncluding": "1.6.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.7.1",
                      "versionStartIncluding": "1.7.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-670",
                  "description": "CWE-670 Always-Incorrect Control Flow Implementation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-25T19:14:48.753Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
            },
            {
              "url": "https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a"
            }
          ],
          "x_generator": {
            "engine": "CVE-Request-form 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2026-48844",
        "datePublished": "2026-05-25T19:14:48.753Z",
        "dateReserved": "2026-05-25T19:14:48.252Z",
        "dateUpdated": "2026-05-26T12:48:17.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CERTFR-2026-AVI-0835

    Vulnerability from certfr_avis - Published: 2026-07-06 - Updated: 2026-07-06

    De multiples vulnérabilités ont été découvertes dans Roundcube. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une falsification de requêtes côté serveur (SSRF) et une injection de code indirecte à distance (XSS).

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Roundcube Roundcube Webmail Roundcube Webmail versions 1.7.x antérieures à 1.7.2
    Roundcube Roundcube Webmail Roundcube Webmail versions 1.6.x antérieures à 1.6.17
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Roundcube Webmail versions 1.7.x ant\u00e9rieures \u00e0 1.7.2",
          "product": {
            "name": "Roundcube Webmail",
            "vendor": {
              "name": "Roundcube",
              "scada": false
            }
          }
        },
        {
          "description": "Roundcube Webmail versions 1.6.x ant\u00e9rieures \u00e0 1.6.17",
          "product": {
            "name": "Roundcube Webmail",
            "vendor": {
              "name": "Roundcube",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-54432",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54432"
        },
        {
          "name": "CVE-2026-54433",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54433"
        }
      ],
      "initial_release_date": "2026-07-06T00:00:00",
      "last_revision_date": "2026-07-06T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0835",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-07-06T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        },
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Roundcube. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF) et une injection de code indirecte \u00e0 distance (XSS).",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Roundcube",
      "vendor_advisories": [
        {
          "published_at": "2026-07-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Roundcube security-updates-1.6.17-and-1.7.2",
          "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
        }
      ]
    }

    CERTFR-2026-AVI-0644

    Vulnerability from certfr_avis - Published: 2026-05-26 - Updated: 2026-05-26

    De multiples vulnérabilités ont été découvertes dans Roundcube. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Roundcube Roundcube Webmail Roundcube Webmail versions 1.7.x antérieures à 1.7.1
    Roundcube Roundcube Webmail Roundcube Webmail versions 1.6.x antérieures à 1.6.16
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Roundcube Webmail versions 1.7.x ant\u00e9rieures \u00e0 1.7.1",
          "product": {
            "name": "Roundcube Webmail",
            "vendor": {
              "name": "Roundcube",
              "scada": false
            }
          }
        },
        {
          "description": "Roundcube Webmail versions 1.6.x ant\u00e9rieures \u00e0 1.6.16",
          "product": {
            "name": "Roundcube Webmail",
            "vendor": {
              "name": "Roundcube",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2026-05-26T00:00:00",
      "last_revision_date": "2026-05-26T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0644",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-05-26T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
        },
        {
          "description": "Injection SQL (SQLi)"
        },
        {
          "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Roundcube. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Roundcube",
      "vendor_advisories": [
        {
          "published_at": "2026-05-24",
          "title": "Bulletin de s\u00e9curit\u00e9 Roundcube security-updates-1.6.16-and-1.7.1",
          "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
        }
      ]
    }