PatchSiren cyber security CVE debrief

CVE-2026-48848 Roundcube CVE debrief

## Summary Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 contain an insufficient HTML sanitization vulnerability that permits CSS injection via a crafted SVG document containing an animate element with a manipulated attributeName attribute. The flaw stems from inadequate validation of SVG animation attributes during HTML content filtering, allowing attackers to inject arbitrary Cascading Style Sheets into rendered email content. This vulnerability carries a HIGH severity CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating network-exploitable conditions with low attack complexity, no required privileges or user interaction, and scope change potential with low impacts to confidentiality and integrity. The Roundcube project released security updates 1.6.16 and 1.7.1 on May 24, 2026 to address this issue. The CVE was published on May 25, 2026 and modified on May 26, 2026. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting).

Vendor: Roundcube
Product: Webmail
CVSS: HIGH 7.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-25
Original CVE updated: 2026-05-26
Advisory published: 2026-05-25
Advisory updated: 2026-05-26

Who should care

Organizations operating Roundcube Webmail instances for enterprise, educational, or personal email services; email security gateway administrators; web application security teams responsible for email client security; Roundcube hosting providers and managed service providers; security-conscious end users relying on Roundcube for sensitive communications

Technical summary

The vulnerability exists in Roundcube Webmail's HTML sanitization engine, specifically in its handling of Scalable Vector Graphics (SVG) content embedded within email messages. The animate element in SVG supports an attributeName attribute that specifies which attribute of the target element is being animated. Insufficient validation of this attribute allows attackers to craft malicious SVG documents that inject arbitrary CSS properties. When such content passes through Roundcube's filtering and is rendered in a victim's browser, the injected CSS can manipulate page presentation, potentially enabling data exfiltration, user interface spoofing, or as a stepping stone for further attacks. The CVSS scope change metric (S:C) indicates the vulnerable component impacts resources beyond its security scope. The fix involves enhanced sanitization logic for SVG animation attributes, as implemented in commits 58e5263f341e6a418774fb6d2643669a3c4d8a27 and c960d102472dc579e15907d5bcdc3103a090ccf9.

Defensive priority

HIGH

Recommended defensive actions

Upgrade Roundcube Webmail installations to version 1.6.16 (for 1.6.x branch) or 1.7.1 (for 1.7.x branch) immediately
Review email content filtering configurations to ensure SVG sanitization policies are enforced
Monitor for anomalous email content containing embedded SVG documents with animation elements
Apply principle of least privilege to webmail application deployments
Validate that upstream HTML sanitization libraries are current and properly configured
Consider implementing Content Security Policy (CSP) headers as defense-in-depth for webmail interfaces
Audit email rendering pipelines for bypass opportunities in HTML/CSS filtering logic

Evidence notes

- CVE published 2026-05-25T20:16:37.413Z per official NVD record; modified 2026-05-26T19:26:42.643Z - Roundcube security updates announced 2026-05-24 per vendor security advisory - Affected versions: Roundcube Webmail 1.6.x before 1.6.16, 1.7.x before 1.7.1 - Patched versions: 1.6.16, 1.7.1 - CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (Score: 7.2, HIGH) - CWE-79: Improper Neutralization of Input During Web Page Generation - Vulnerability type: CSS injection via SVG animate element attributeName manipulation - Not listed in CISA KEV catalog as of CVE publication date

Official resources

2026-05-25T20:16:37.413Z