PatchSiren cyber security CVE debrief
CVE-2026-48849 Roundcube CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in Roundcube Webmail where the subject field of draft messages is not properly sanitized when restored. This affects versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The vulnerability is exploitable in shared mailbox environments where multiple users access the same mailbox, allowing an attacker with mailbox access to inject malicious HTML, CSS, or JavaScript that executes when another user restores or views the affected draft. The CVSS 3.1 vector indicates network attack vector with high attack complexity, requiring low privileges and user interaction, with scope change to the vulnerable component. The confidentiality and integrity impacts are rated low with no availability impact. The underlying weakness is CWE-79 (Improper Neutralization of Input During Web Page Generation). Security updates were released on May 24, 2026, addressing this issue in versions 1.6.16 and 1.7.1.
- Vendor
- Roundcube
- Product
- Webmail
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running Roundcube Webmail with shared mailbox configurations; email service providers hosting Roundcube for multiple tenants; security teams responsible for webmail infrastructure; administrators of collaborative email environments where multiple users access common mailboxes
Technical summary
The vulnerability stems from insufficient output encoding of the subject field when draft messages are restored in Roundcube Webmail. In shared mailbox deployments, a malicious actor with write access can craft a draft message containing executable content in the subject line. When another legitimate user restores this draft, the unsanitized subject is rendered in the browser context, enabling stored XSS. The attack requires the victim to interact with the restored draft (UI:R), and the scope changes to include the vulnerable component (S:C). The fix implements proper sanitization of the subject field during draft restoration operations.
Defensive priority
medium
Recommended defensive actions
- Upgrade Roundcube Webmail to version 1.6.16 (for 1.6.x branch) or 1.7.1 (for 1.7.x branch) or later
- Review shared mailbox configurations and audit access controls for sensitive mailboxes
- Implement Content Security Policy (CSP) headers as defense-in-depth for webmail interfaces
- Monitor for suspicious draft message activity in shared mailbox environments
- Apply principle of least privilege for mailbox access permissions
Evidence notes
Vulnerability confirmed through official Roundcube security advisory dated May 24, 2026. Two commits (189d30a4890319cd687df959ca9f768a3a613d61 and a21519187873ce962db029b6ff68e47bd7f3fd8a) address the sanitization issue. NVD status currently 'Deferred' pending analysis.
Official resources
2026-05-25T20:16:37.540Z