Aleksander Machniak - Security Researcher - Exploit Intelligence Platform

CVE-2026-35540 WRITEUP MEDIUM WRITEUP

Roundcube Webmail 1.6.0-1.6.13 - Server-Side Request Forgery via CSS Stylesheet Links

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

CVSS 5.4

View Code

CVE-2026-35541 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.5.14 - Auth Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

CVSS 4.2

View Code

CVE-2026-35542 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - Information Disclosure via Background Attribute Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

CVSS 5.3

View Code

CVE-2026-35543 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - Information Disclosure via SVG Animate Attribute Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

CVSS 5.3

View Code

CVE-2026-35544 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.5.14 - CSS Sanitization Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

CVSS 5.3

View Code

CVE-2026-35545 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.5.15, 1.6.0-1.6.15, 1.7-beta-1.7-rc5 - Information Disclosure via SVG Animate Element Bypass

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

CVSS 5.3

View Code

CVE-2026-35537 WRITEUP LOW WRITEUP

Roundcube Webmail <1.5.14 - Deserialization

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

CVSS 3.7

View Code

CVE-2026-35538 WRITEUP LOW WRITEUP

Roundcube Webmail < 1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - IMAP Injection via Search Command Arguments

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

CVSS 3.1

View Code

CVE-2026-35539 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - Stored Cross-Site Scripting via HTML Attachment Preview

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

CVSS 6.1

View Code

CVE-2026-35540 WRITEUP MEDIUM WRITEUP

Roundcube Webmail 1.6.0-1.6.13 - Server-Side Request Forgery via CSS Stylesheet Links

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

CVSS 5.4

View Code

CVE-2026-35541 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.5.14 - Auth Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

CVSS 4.2

View Code

CVE-2026-35542 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - Information Disclosure via Background Attribute Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

CVSS 5.3

View Code

CVE-2026-35543 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - Information Disclosure via SVG Animate Attribute Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

CVSS 5.3

View Code

CVE-2026-35544 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.5.14 - CSS Sanitization Bypass

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

CVSS 5.3

View Code

CVE-2026-35545 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.5.15, 1.6.0-1.6.15, 1.7-beta-1.7-rc5 - Information Disclosure via SVG Animate Element Bypass

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

CVSS 5.3

View Code

CVE-2012-6121 WRITEUP WRITEUP

Roundcube Webmail < 0.8.5 - Cross-Site Scripting via Data or VBScript Link

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.

View Code

CVE-2015-5381 WRITEUP MEDIUM WRITEUP

Roundcube Webmail 1.1.x - Cross-Site Scripting via _mbox Parameter

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

CVSS 6.1

View Code

CVE-2015-5382 WRITEUP MEDIUM WRITEUP

Roundcube Webmail <1.0.6, <1.1.2 - Info Disclosure

program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

CVSS 6.5

View Code

CVE-2020-12626 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.4.4 - Cross-Site Request Forgery via Logout POST Request

An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

CVSS 6.5

View Code

CVE-2020-13964 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.3.12 and 1.4.x < 1.4.5 - Cross-Site Scripting via Username Template Object

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

CVSS 6.1

View Code

CVE-2020-15562 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.2.11, 1.3.x < 1.3.14, 1.4.x < 1.4.7 - Stored Cross-Site Scripting via HTML Email xmlns Attribute

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.

CVSS 6.1

View Code

CVE-2020-16145 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.3.15 and 1.4.8 - Stored Cross-Site Scripting via SVG in HTML Messages

Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

CVSS 6.1

View Code

CVE-2021-26925 WRITEUP MEDIUM WRITEUP

Roundcube Webmail < 1.4.11 - Cross-Site Scripting via CSS Token Sequences in HTML Email Renderer

Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.

CVSS 5.4

View Code

CVE-2021-46144 WRITEUP MEDIUM WRITEUP

Roundcube < 1.4.13 and 1.5.x < 1.5.2 - Cross-Site Scripting via Crafted CSS Token Sequences

Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.

CVSS 6.1

View Code

CVE-2023-47272 WRITEUP MEDIUM WRITEUP

Roundcube Webmail 1.5.0-1.5.5 and 1.6.0-1.6.4 - Cross-Site Scripting via Content-Type or Content-Disposition Header

Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

CVSS 6.1

View Code