Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Network-delivered XSS with no attacker privileges; I assess UI:R because a webmail victim typically must view the crafted message, keeping S:C and Low C/I as the injected script runs in the authenticated origin.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionNVD
[Unknown description]
AnalysisAI
Cross-site scripting in Roundcube Webmail allows remote attackers to inject arbitrary script into a victim's authenticated mail session, with the CVSS scope-change flag indicating the payload can affect resources beyond the vulnerable component (e.g. the surrounding webmail DOM/session). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to deliver attacker-controlled content that Roundcube renders in a victim's browser - in a webmail context this almost always means sending an email (or crafting a request) whose HTML/content reaches the victim's Roundcube session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, 7.2 High) describes network-reachable, low-complexity exploitation requiring no privileges and, notably, no user interaction - an aggressive profile for XSS, where a victim typically must open a crafted message. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a specially crafted email (or supplies crafted input to a vulnerable Roundcube parameter) containing an XSS payload that survives sanitization; when the target's authenticated Roundcube session renders it, the script executes in the webmail origin. The attacker can then read or exfiltrate email content, hijack the session, or perform actions as the victim. … |
| Remediation | Upgrade to a fixed release: Roundcube 1.6.17 for the 1.6.x branch or 1.7.2 for the 1.7.x branch, as published at https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2; distribution users (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: complete inventory of all Roundcube instances in production, documenting current version numbers and deployment scope across the organization. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the send
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plu
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to stea
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers t
Roundcube Webmail allows arbitrary password resets by authenticated users. Rated high severity (CVSS 8.8), this vulnerab
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in e
An issue was discovered in Roundcube Webmail before 1.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remot
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary w
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43732
GHSA-6hj3-f24f-rwj8