Aggregates CVE and security vulnerability intelligence across all Roundcube-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk input validation, vendor risk ssrf, and vendor risk file inclusion and related problems; some flaws may lead to vendor impact application crash and vendor impact memory corruption.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-68460 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. | [email protected] | 7.2 | 0.24% | 2025-12-18 | 2026-06-17 |
| CVE-2025-49113 KEV | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | [email protected] | 9.9 | 89.46% | 2025-06-02 | 2026-06-17 |
| CVE-2024-57004 | Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session. | [email protected] | 6.1 | 28.82% | 2025-02-03 | 2026-06-17 |
| CVE-2024-42009 KEV | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | [email protected] | 9.3 | 83.39% | 2024-08-05 | 2026-06-17 |
| CVE-2024-42008 | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | [email protected] | 9.3 | 33.89% | 2024-08-05 | 2026-06-17 |
| CVE-2024-37385 | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. | [email protected] | 9.8 | 1.48% | 2024-06-07 | 2026-06-17 |
| CVE-2024-37384 | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. | [email protected] | 6.1 | 0.53% | 2024-06-07 | 2026-06-17 |
| CVE-2024-37383 KEV | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. | [email protected] | 6.1 | 73.30% | 2024-06-07 | 2026-06-17 |
| CVE-2023-47272 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | [email protected] | 6.1 | 0.64% | 2023-11-05 | 2026-06-17 |
| CVE-2023-5631 KEV | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | [email protected] | 6.1 | 73.45% | 2023-10-18 | 2026-06-17 |
| CVE-2023-43770 KEV | Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | [email protected] | 6.1 | 58.48% | 2023-09-22 | 2026-06-17 |
| CVE-2021-46144 | Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. | [email protected] | 6.1 | 1.04% | 2022-01-06 | 2026-06-17 |
| CVE-2021-44026 KEV | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | [email protected] | 9.8 | 42.75% | 2021-11-18 | 2026-06-17 |
| CVE-2021-44025 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | [email protected] | 6.1 | 1.05% | 2021-11-18 | 2026-06-17 |
| CVE-2020-18671 | Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | [email protected] | 5.4 | 0.81% | 2021-06-24 | 2026-06-16 |
| CVE-2020-18670 | Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | [email protected] | 5.4 | 0.92% | 2021-06-24 | 2026-06-16 |
| CVE-2021-26925 | Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. | [email protected] | 5.4 | 1.01% | 2021-02-09 | 2026-06-16 |
| CVE-2020-35730 KEV | An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | [email protected] | 6.1 | 32.82% | 2020-12-28 | 2026-06-16 |
| CVE-2020-16145 | Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. | [email protected] | 6.1 | 1.94% | 2020-08-12 | 2026-06-16 |
| CVE-2020-15562 | An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. | [email protected] | 6.1 | 2.07% | 2020-07-06 | 2026-06-16 |