Skip to main content

Roundcube Webmail CVE-2026-54433

| EUVDEUVD-2026-43732 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-06 vendor:ubuntu GHSA-6hj3-f24f-rwj8
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered XSS with no attacker privileges; I assess UI:R because a webmail victim typically must view the crafted message, keeping S:C and Low C/I as the injected script runs in the authenticated origin.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch available
Jul 14, 2026 - 18:20 EUVD
Analysis Updated
Jul 14, 2026 - 17:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 17:22 NVD
7.2 (HIGH)
Analysis Generated
Jul 06, 2026 - 20:21 vuln.today

DescriptionNVD

[Unknown description]

AnalysisAI

Cross-site scripting in Roundcube Webmail allows remote attackers to inject arbitrary script into a victim's authenticated mail session, with the CVSS scope-change flag indicating the payload can affect resources beyond the vulnerable component (e.g. the surrounding webmail DOM/session). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft email with XSS payload
Delivery
Deliver to victim mailbox
Exploit
Roundcube renders content in session
Execution
Script executes in webmail origin
Impact
Steal session/email data

Vulnerability AssessmentAI

Exploitation The attacker must be able to deliver attacker-controlled content that Roundcube renders in a victim's browser - in a webmail context this almost always means sending an email (or crafting a request) whose HTML/content reaches the victim's Roundcube session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, 7.2 High) describes network-reachable, low-complexity exploitation requiring no privileges and, notably, no user interaction - an aggressive profile for XSS, where a victim typically must open a crafted message. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a specially crafted email (or supplies crafted input to a vulnerable Roundcube parameter) containing an XSS payload that survives sanitization; when the target's authenticated Roundcube session renders it, the script executes in the webmail origin. The attacker can then read or exfiltrate email content, hijack the session, or perform actions as the victim. …
Remediation Upgrade to a fixed release: Roundcube 1.6.17 for the 1.6.x branch or 1.7.2 for the 1.7.x branch, as published at https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2; distribution users (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: complete inventory of all Roundcube instances in production, documenting current version numbers and deployment scope across the organization. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2016-9920 HIGH POC
7.5 Dec 08

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the send

CVE-2020-12641 CRITICAL POC
9.8 May 04

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in

CVE-2020-12640 CRITICAL POC
9.8 May 04

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plu

CVE-2015-2180 HIGH POC
8.8 Jan 30

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands

CVE-2024-42009 CRITICAL POC
9.3 Aug 05

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to stea

CVE-2015-2181 HIGH POC
8.8 Jan 30

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers t

CVE-2017-8114 HIGH POC
8.8 Apr 29

Roundcube Webmail allows arbitrary password resets by authenticated users. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-1000071 HIGH POC
7.5 Mar 13

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in e

CVE-2020-12626 MEDIUM POC
6.5 May 04

An issue was discovered in Roundcube Webmail before 1.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remot

CVE-2016-4552 MEDIUM POC
6.1 Dec 20

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary w

CVE-2015-8793 MEDIUM POC
6.1 Jan 29

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2

Share

CVE-2026-54433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy