Roundcube CVE Vulnerabilities & CVE List (93)

Products (CPE): — CVEs: 93

Roundcube vulnerability overview

Aggregates CVE and security vulnerability intelligence across all Roundcube-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Historical issues mainly involve vendor risk input validation, vendor risk ssrf, and vendor risk file inclusion and related problems; some flaws may lead to vendor impact application crash and vendor impact memory corruption.

Vulnerability distribution trend (last 24 months)

Showing 2140 of 93 CVEs
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2025-68460 Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. [email protected] 7.2 0.24% 2025-12-18 2026-06-17
CVE-2025-49113 KEV Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. [email protected] 9.9 89.46% 2025-06-02 2026-06-17
CVE-2024-57004 Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session. [email protected] 6.1 28.82% 2025-02-03 2026-06-17
CVE-2024-42009 KEV A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. [email protected] 9.3 83.39% 2024-08-05 2026-06-17
CVE-2024-42008 A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. [email protected] 9.3 33.89% 2024-08-05 2026-06-17
CVE-2024-37385 Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. [email protected] 9.8 1.48% 2024-06-07 2026-06-17
CVE-2024-37384 Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. [email protected] 6.1 0.53% 2024-06-07 2026-06-17
CVE-2024-37383 KEV Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. [email protected] 6.1 73.30% 2024-06-07 2026-06-17
CVE-2023-47272 Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). [email protected] 6.1 0.64% 2023-11-05 2026-06-17
CVE-2023-5631 KEV Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. [email protected] 6.1 73.45% 2023-10-18 2026-06-17
CVE-2023-43770 KEV Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. [email protected] 6.1 58.48% 2023-09-22 2026-06-17
CVE-2021-46144 Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. [email protected] 6.1 1.04% 2022-01-06 2026-06-17
CVE-2021-44026 KEV Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. [email protected] 9.8 42.75% 2021-11-18 2026-06-17
CVE-2021-44025 Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. [email protected] 6.1 1.05% 2021-11-18 2026-06-17
CVE-2020-18671 Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. [email protected] 5.4 0.81% 2021-06-24 2026-06-16
CVE-2020-18670 Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. [email protected] 5.4 0.92% 2021-06-24 2026-06-16
CVE-2021-26925 Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. [email protected] 5.4 1.01% 2021-02-09 2026-06-16
CVE-2020-35730 KEV An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. [email protected] 6.1 32.82% 2020-12-28 2026-06-16
CVE-2020-16145 Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. [email protected] 6.1 1.94% 2020-08-12 2026-06-16
CVE-2020-15562 An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. [email protected] 6.1 2.07% 2020-07-06 2026-06-16
cvelogic Threat Intelligence