EUVD-2026-31727
GHSA-p64r-9rcj-x33x
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
AnalysisAI
CSS injection in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) allows remote attackers to bypass the HTML sanitizer by embedding an SVG document with an animate element whose attributeName references style, enabling cross-site scripting style attacks against mail recipients. The flaw carries a CVSS 7.2 (changed scope) with no privileges or user interaction required beyond viewing a crafted message, no public exploit identified at time of analysis, and an EPSS of 0.04% (14th percentile) indicating low predicted exploitation volume despite the trivially-triggerable attack vector.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Roundcube instance to be running an affected version (1.6.0-1.6.15 or 1.7.0) with HTML message rendering enabled (the default), and the victim must open or preview an attacker-supplied email containing the crafted SVG <animate attributeName="style"> payload - no Roundcube account or authentication is needed on the attacker side because delivery is via ordinary SMTP. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N describes network-reachable, low-complexity exploitation with changed scope and partial confidentiality/integrity impact - consistent with a stored XSS/CSS-injection that fires when a victim opens an attacker-controlled email. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails a target Roundcube user a message containing an SVG block with <animate attributeName="style" ...> that survives the HTML sanitizer; when the victim opens the message in the webmail UI, the animation rewrites the page's CSS to exfiltrate styled content, overlay a credential-harvesting form, or pivot via further script gadgets. No public exploit identified at time of analysis, though the upstream fix and reporter credit (wooseokdotkim) suggest reproduction details could surface from diffing the patch commits. |
| Remediation | Vendor-released patch: upgrade to Roundcube Webmail 1.6.16 (for the 1.6.x branch) or 1.7.1 (for the 1.7.x branch) per https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1; the underlying fix commits are 58e5263 (1.6) and c960d10 (1.7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of all Roundcube Webmail deployments and identify instances running 1.6.x (before 1.6.16) or 1.7.x (before 1.7.1). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today