本頁列出影響 roundcube webmail 的已公開 CVE 漏洞(透過 NVD CPE 關聯)。每列包含嚴重程度評分、摘要與發布日期,便於識別與分析安全議題。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-35545 | An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke. | [email protected] | 5.3 | 0.33% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35544 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important. | [email protected] | 5.3 | 0.37% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35543 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass. | [email protected] | 5.3 | 0.40% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35542 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass. | [email protected] | 5.3 | 0.40% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35541 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password. | [email protected] | 4.2 | 0.24% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35540 | An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. | [email protected] | 5.4 | 0.31% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35539 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment. | [email protected] | 6.1 | 0.25% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35538 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search. | [email protected] | 3.1 | 0.28% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35537 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data. | [email protected] | 3.7 | 0.47% | 2026-04-03 | 2026-06-17 |
| CVE-2025-68461 KEV | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | [email protected] | 7.2 | 19.77% | 2025-12-18 | 2026-06-17 |
| CVE-2025-68460 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. | [email protected] | 7.2 | 0.24% | 2025-12-18 | 2026-06-17 |
| CVE-2025-49113 KEV | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | [email protected] | 9.9 | 89.16% | 2025-06-02 | 2026-06-17 |
| CVE-2024-57004 | Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session. | [email protected] | 6.1 | 27.76% | 2025-02-03 | 2026-06-17 |
| CVE-2024-42009 KEV | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | [email protected] | 9.3 | 82.85% | 2024-08-05 | 2026-06-17 |
| CVE-2024-42008 | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | [email protected] | 9.3 | 32.27% | 2024-08-05 | 2026-06-17 |
| CVE-2024-37385 | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. | [email protected] | 9.8 | 1.48% | 2024-06-07 | 2026-06-17 |
| CVE-2024-37384 | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. | [email protected] | 6.1 | 0.53% | 2024-06-07 | 2026-06-17 |
| CVE-2024-37383 KEV | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. | [email protected] | 6.1 | 73.30% | 2024-06-07 | 2026-06-17 |
| CVE-2023-47272 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | [email protected] | 6.1 | 0.64% | 2023-11-06 | 2026-06-17 |
| CVE-2023-5631 KEV | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | [email protected] | 6.1 | 70.88% | 2023-10-18 | 2026-06-17 |