roundcube/roundcubemail
Packagist10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting roundcube/roundcubemailpage 1 of 1
- CVE-2025-49113CRITICALCVSS 9.9EG 9.9⚠ KEV✓ Fixed in 1.6.112025-06-02
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
- CVE-2026-35537LOWCVSS 3.7EG 3.7✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
- CVE-2026-35538LOWCVSS 3.1EG 3.1✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
- CVE-2026-35539MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
- CVE-2026-35540MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network h…
- CVE-2026-35541MEDIUMCVSS 4.2EG 4.2✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
- CVE-2026-35542MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or …
- CVE-2026-35543MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-cont…
- CVE-2026-35544MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
- CVE-2026-35545MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.7-rc52026-04-03
vulnerable: 1.7-beta ... 1.7-rc4 (6 versions)
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves …
Check whether roundcube/roundcubemail is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for roundcube/roundcubemail CVEs against the assets you own.
Start Free Scan →