CVE-2020-12640

CRITICAL

Roundcube Webmail <1.4.4 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-12640. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a writeup for CVE-2020-12640, a local PHP file inclusion vulnerability in Roundcube Webmail due to unsanitized plugin parameters. The vulnerability allows path traversal to include arbitrary PHP files, but no exploit code is provided.

Description

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

Exploits (1)

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2020-12640

View Code ZIP pw:eip

This repository provides a writeup for CVE-2020-12640, a local PHP file inclusion vulnerability in Roundcube Webmail due to unsanitized plugin parameters. The vulnerability allows path traversal to include arbitrary PHP files, but no exploit code is provided.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Roundcube Webmail before 1.4.4, 1.3.11, and 1.2.10

Auth required

Prerequisites: Access to the Roundcube Webmail installer component · Write access to the target's filesystem

devstral-2 · analyzed Feb 16, 2026 Full analysis →