Skip to main content

Roundcube Webmail EUVD-2026-31728

| CVE-2026-48849 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-25 mitre GHSA-2m7q-4j9m-89vh
XSS Webmail
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 12:44 vuln.today
Analysis Generated
Jun 08, 2026 - 12:44 vuln.today
Patch available
May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

AnalysisAI

Stored XSS and HTML/CSS injection in Roundcube Webmail 1.6.x and 1.7.x allows an authenticated attacker to plant a malicious payload in a draft message's subject field, which then executes in the browsers of other users when they encounter the draft restore dialog on a shared mailbox. Fixed in versions 1.6.16 and 1.7.1 per vendor advisory published 2026-05-24. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates to Roundcube instance
Delivery
Craft draft with XSS payload in subject field
Exploit
Save draft to shared mailbox folder
Execution
Victim co-user opens draft restore dialog
Persist
Unsanitized subject renders in victim's browser
Impact
Attacker script executes in victim's authenticated session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Roundcube user account (confirmed by PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 4.4 (Medium) accurately reflects a constrained attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid Roundcube credentials on an instance with shared mailbox access composes a draft message and injects a JavaScript or CSS payload (e.g., a cookie-stealing script or UI redress element) into the subject field, then saves it to a shared mailbox folder. When a co-user of that shared mailbox triggers the draft restore dialog - either deliberately or through normal draft management - the unsanitized subject content renders in their browser, executing the attacker's payload within their authenticated session context. …
Remediation The primary fix is to upgrade to Roundcube Webmail 1.6.16 (for 1.6.x deployments) or 1.7.1 (for 1.7.x deployments), both released 2026-05-24 and available at https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 and the respective GitHub release tags https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 and https://github.com/roundcube/roundcubemail/releases/tag/1.7.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

EUVD-2026-31728 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy