What is GHSA-p64r-9rcj-x33x?

GHSA-p64r-9rcj-x33x is a security advisory published by GitHub Security Advisories with High severity. Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization...

Which CVE IDs does GHSA-p64r-9rcj-x33x cover?

GHSA-p64r-9rcj-x33x covers the following CVE IDs: CVE-2026-48848. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-p64r-9rcj-x33x?

GHSA-p64r-9rcj-x33x has a CVSS v3 base score of 7.2, published by GitHub Security Advisories.

GHSA-p64r-9rcj-x33xHighCVSS 7.2

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-48848 →

📋 Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

🔗 References (7)

https://nvd.nist.gov/vuln/detail/CVE-2026-48848
https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27
https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/advisories/GHSA-p64r-9rcj-x33x