Roundcube Webmail
53 CVEs affecting Roundcube Webmail. Latest disclosed: 2026-05-28. Critical: 1, High: 12.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-49113 | Critical | 9.9 | 2025-06-02 | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validat… |
CVE-2017-8114 | High | 8.8 | 2017-04-29 | Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The… |
CVE-2015-2181 | High | 8.8 | 2017-01-30 | Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) p… |
CVE-2015-2180 | High | 8.8 | 2017-01-30 | The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the passwo… |
CVE-2016-4069 | High | 8.8 | 2016-08-25 | Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests th… |
CVE-2026-48842 | High | 8.1 | 2026-05-25 | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash e… |
CVE-2026-48844 | High | 7.5 | 2026-05-25 | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection… |
CVE-2015-5383 | High | 7.5 | 2017-05-23 | Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs director… |
CVE-2016-9920 | High | 7.5 | 2016-12-08 | steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not prope… |
CVE-2026-48848 | High | 7.2 | 2026-05-25 | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an… |
CVE-2026-48843 | High | 7.2 | 2026-05-25 | Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may… |
CVE-2025-68461 | High | 7.2 | 2025-12-18 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. |
CVE-2025-68460 | High | 7.2 | 2025-12-18 | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. |
CVE-2026-48846 | Medium | 6.5 | 2026-05-25 | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail m… |
CVE-2026-48845 | Medium | 6.5 | 2026-05-25 | In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinati… |
CVE-2015-5382 | Medium | 6.5 | 2017-05-23 | program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the… |
CVE-2026-35539 | Medium | 6.1 | 2026-04-03 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victi… |
CVE-2015-5381 | Medium | 6.1 | 2017-05-23 | Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web… |
CVE-2016-4068 | Medium | 6.1 | 2017-04-13 | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTM… |
CVE-2015-8864 | Medium | 6.1 | 2017-04-13 | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTM… |