Aleksander Machniak

80 exploits Active since Aug 2012
CVE-2023-5631 WRITEUP MEDIUM WRITEUP
Roundcube Webmail < 1.4.15, 1.5.x < 1.5.5, 1.6.x < 1.6.4 - Stored Cross-Site Scripting via SVG in HTML Email
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
CVSS 6.1
CVE-2024-37384 WRITEUP MEDIUM WRITEUP
Roundcube Webmail < 1.5.7 and 1.6.x < 1.6.7 - Stored Cross-Site Scripting via List Columns from User Preferences
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
CVSS 6.1
CVE-2024-37385 WRITEUP CRITICAL WRITEUP
Roundcube Webmail < 1.5.7 and 1.6.x < 1.6.7 - OS Command Injection via im_convert_path and im_identify_path
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
CVSS 9.8
CVE-2025-68460 WRITEUP HIGH WRITEUP
Roundcube Webmail < 1.5.12 and 1.6 < 1.6.12 - Information Disclosure via HTML Style Sanitizer
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
CVSS 7.2
CVE-2026-26079 WRITEUP MEDIUM WRITEUP
Roundcube Webmail <1.5.13 & <1.6.13 - XSS
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
CVSS 4.7