Roundcube CVEs & Vulnerabilities

8 CVEs affecting Roundcube products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

webmail 8
CVE-2026-35545HIGH

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

3 Apr 2026
8.2
CVSS
CVE-2026-35544MEDIUM

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

3 Apr 2026
5.3
CVSS
CVE-2026-35543MEDIUM

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

3 Apr 2026
5.3
CVSS
CVE-2026-35542MEDIUM

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

3 Apr 2026
5.3
CVSS
CVE-2026-35541MEDIUM

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

3 Apr 2026
4.2
CVSS
CVE-2026-35540MEDIUM

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

3 Apr 2026
6.5
CVSS
CVE-2026-35539MEDIUM

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

3 Apr 2026
6.1
CVSS
CVE-2026-35538LOW

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

3 Apr 2026
3.1
CVSS
← PrevPage 1 / 1Next →