These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A stored cross-site scripting (XSS) vulnerability exists in Roundcube Webmail where the subject field of draft messages is not properly sanitized when restored. This affects versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The vulnerability is exploitable in shared mailbox environments where multiple users access the same mailbox, allowing an attacker with mailbox access to inject malicious HTML, [truncated]
## Summary Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 contain an insufficient HTML sanitization vulnerability that permits CSS injection via a crafted SVG document containing an animate element with a manipulated attributeName attribute. The flaw stems from inadequate validation of SVG animation attributes during HTML content filtering, allowing attackers to inject arbitrary [truncated]
A session poisoning vulnerability in Roundcube Webmail allows pre-authentication arbitrary file deletion when Redis or Memcache is configured as the session backend. The flaw exists in versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1. An attacker can manipulate session data stored in Redis/Memcache to inject malicious file paths that get processed during session operations, leading to unauthorized file [truncated]
## Summary Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 contain a vulnerability in the remote image blocking feature. A crafted CSS `var()` value in an email message can bypass this protection mechanism, potentially enabling information disclosure or access-control bypass. The vulnerability is classified as MEDIUM severity with a CVSS 3.1 score of 6.5. ## Technical Details The [truncated]
A vulnerability in Roundcube Webmail allows remote image blocking bypass for local/private destinations, potentially enabling information disclosure or privilege escalation via crafted text/html email messages. The issue affects versions 1.6.14 through 1.6.16 in the 1.6.x branch and versions prior to 1.7.1 in the 1.7.x branch. The flaw occurs because the application's remote image blocking mechanism fails [truncated]
Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 contain an insecure code evaluation vulnerability in the LDAP autovalues configuration option. The autovalues feature allowed dynamic attribute generation through code evaluation, which could be exploited to inject and execute arbitrary code. The vulnerability has been resolved by completely removing support for code evaluation in t [truncated]
Roundcube Webmail versions 1.6.14 through 1.6.16 and 1.7.x before 1.7.1 contain an insufficient CSS sanitization vulnerability in HTML email processing. The flaw allows malicious stylesheet links within email messages to trigger Server-Side Request Forgery (SSRF) or information disclosure when those links reference internal network hosts. This issue represents an incomplete remediation of CVE-2026-35540, [truncated]
A pre-authentication SQL injection vulnerability exists in Roundcube Webmail's virtuser_query plugin. The flaw stems from a preg_replace() backslash escape bypass that allows attackers to manipulate SQL queries before authentication. Affected versions include 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The vulnerability carries a HIGH severity CVSS 8.1 score with network attack vector, high attack com [truncated]
CVE-2025-68461 is a Roundcube Webmail cross-site scripting (XSS) vulnerability. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2026-02-20, which makes remediation a high priority for any organization that still operates affected Roundcube deployments. The vendor notes referenced in the source corpus point to security updates 1.6.12 and 1.5.12.
CVE-2025-49113 is a Roundcube Webmail deserialization of untrusted data vulnerability that CISA has added to the Known Exploited Vulnerabilities (KEV) catalog, which indicates confirmed exploitation in the wild. The official guidance provided in the source corpus is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if m [truncated]
CVE-2024-42009 is a Roundcube Webmail cross-site scripting issue that CISA added to the Known Exploited Vulnerabilities catalog on 2025-06-09. Because it is in KEV, defenders should treat exposure as urgent and follow the vendor’s security-update guidance referenced by CISA. If mitigations are not available, CISA advises discontinuing use of the product.
CVE-2024-37383 is a Cross-Site Scripting (XSS) issue in Roundcube Webmail that CISA added to its Known Exploited Vulnerabilities catalog on 2024-10-24. Because it is in KEV, affected operators should treat it as a priority remediation item and follow vendor guidance or discontinue use if mitigations are unavailable.
CVE-2020-13965 is a cross-site scripting (XSS) issue affecting Roundcube Webmail. CISA added it to the Known Exploited Vulnerabilities catalog on 2024-06-26, which makes it a high-priority remediation item for anyone running Roundcube Webmail. Defenders should confirm whether any Roundcube instances are in use, apply the vendor's security guidance referenced by CISA, and if mitigations cannot be applied s [truncated]
CVE-2023-43770 is a persistent cross-site scripting (XSS) issue in Roundcube Webmail that CISA added to the Known Exploited Vulnerabilities catalog on 2024-02-12. That KEV listing is the strongest signal in the supplied corpus that this issue should be treated as actively exploited or otherwise operationally important. For defenders, the practical takeaway is straightforward: prioritize remediation on any [truncated]
CVE-2023-5631 is a persistent cross-site scripting (XSS) vulnerability in Roundcube Webmail. CISA added it to the Known Exploited Vulnerabilities catalog on 2023-10-26, so defenders should treat it as actively exploited and prioritize remediation before the 2023-11-16 due date. Roundcube’s vendor security-update notices referenced in the source corpus were published on 2023-10-16, and CISA directs organiz [truncated]
CVE-2021-44026 is a Roundcube Webmail SQL injection vulnerability that CISA placed in its Known Exploited Vulnerabilities catalog on 2023-06-22. The official remediation note points to Roundcube security updates 1.4.12 and 1.3.17 released by the vendor, so organizations running Roundcube should apply the vendor guidance promptly and confirm all exposed instances are updated.
CVE-2020-35730 is a cross-site scripting (XSS) vulnerability in Roundcube Webmail. It is notable because CISA added it to the Known Exploited Vulnerabilities catalog on 2023-06-22, which indicates it is considered actively exploited and should be prioritized for remediation. The official guidance in the KEV record is to apply updates per vendor instructions.
CVE-2020-12641 is a Roundcube Webmail remote code execution vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2023-06-22, with a remediation due date of 2023-07-13. Based on the supplied official sources, the main defensive takeaway is clear: treat this as a high-priority patching issue and follow the vendor’s update instructions.
CVE-2017-16651 is a Roundcube Webmail file disclosure vulnerability that CISA has listed in the Known Exploited Vulnerabilities catalog. That KEV designation means it should be treated as actively relevant for defense and remediation planning, even though the supplied official sources do not provide deeper technical details here.
CVE-2015-2181 affects Roundcube webmail before 1.1.0 in the Password plugin’s DBMail driver. The issue is described as multiple buffer overflows triggered through the username or password fields, with remote attackers able to cause unspecified impact. NVD rates the vulnerability HIGH with a CVSS 3.0 score of 8.8, reflecting network reachability, low privileges, no user interaction, and high confidentialit [truncated]
CVE-2015-2180 affects Roundcube webmail before 1.1.0, specifically the Password plugin’s DBMail driver. The CVE description and NVD record state that shell metacharacters in the password can be used to execute arbitrary commands. NVD rates the issue as network-accessible with low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.