Skip to main content

Roundcube Webmail EUVDEUVD-2026-43747

| CVE-2026-62642 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-07-14 mitre GHSA-345h-r9m2-jr4p
4.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
vuln.today AI
4.3 MEDIUM

Network-reachable parser flaw triggered by opening an email (UI:R, PR:N); no authentication needed; impact is availability-only and scoped to the vulnerable system (A:L, S:U).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 18:20 EUVD
Source Code Evidence Fetched
Jul 14, 2026 - 16:35 vuln.today
Analysis Generated
Jul 14, 2026 - 16:35 vuln.today

DescriptionCVE.org

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment.

AnalysisAI

Roundcube Webmail's TNEF (winmail.dat) decoder enters an infinite loop when processing a specially crafted TNEF attachment, causing denial of service for users on affected installations. Versions before 1.6.17 and 1.7.x before 1.7.2 are confirmed affected per the vendor advisory issued 2026-07-05. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted TNEF-attached email to target
Delivery
Victim opens email in Roundcube
Exploit
TNEF decoder enters infinite loop
Execution
PHP worker CPU exhaustion
Impact
User session denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open or preview an email containing a crafted TNEF (winmail.dat) attachment in a vulnerable version of Roundcube Webmail - confirmed by UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 score reflects a real but limited risk: AV:N/AC:L indicates the attack is network-reachable with no special conditions, but UI:R requires the target to open the malicious email, ruling out fully automated exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker composes and sends an email with a specially crafted TNEF (winmail.dat) attachment to a target user on a vulnerable Roundcube installation. When the victim opens or previews the message, Roundcube's TNEF decoder begins processing the attachment and enters an infinite loop, tying up the PHP worker and causing the session to hang or become unresponsive. …
Remediation Upgrade to Roundcube Webmail 1.6.17 (1.6.x branch) or 1.7.2 (1.7.x branch), both confirmed patched releases per the vendor advisory at https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2 and the GitHub commits 877269c79359d959a94f13c9070cab0f3389c193, fb952956c6eaf29e963f1a718d028d66e7957ce0, a007321346380136b3de2bd75b486b04f63c0d38, and 132ac8dd5a55c8466be12de1daf84355697ffa89. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2016-9920 HIGH POC
7.5 Dec 08

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the send

CVE-2020-12641 CRITICAL POC
9.8 May 04

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in

CVE-2020-12640 CRITICAL POC
9.8 May 04

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plu

CVE-2015-2180 HIGH POC
8.8 Jan 30

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands

CVE-2024-42009 CRITICAL POC
9.3 Aug 05

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to stea

CVE-2015-2181 HIGH POC
8.8 Jan 30

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers t

CVE-2017-8114 HIGH POC
8.8 Apr 29

Roundcube Webmail allows arbitrary password resets by authenticated users. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-1000071 HIGH POC
7.5 Mar 13

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in e

CVE-2020-12626 MEDIUM POC
6.5 May 04

An issue was discovered in Roundcube Webmail before 1.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remot

CVE-2016-4552 MEDIUM POC
6.1 Dec 20

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary w

CVE-2015-8793 MEDIUM POC
6.1 Jan 29

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2

Share

EUVD-2026-43747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy