CVE-2024-42008

CRITICAL

Roundcube Webmail < 1.5.8 - Cross-Site Scripting via Malicious Email Attachment Content-Type Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-42008. PoCs published by victoni, rpgsec, Foxer131.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for exploiting CVE-2024-42008 (XSS via malicious XML attachment) and CVE-2024-42010 (HTML exfiltration via CSS injection) in Roundcube Webmail. The exploit chain involves sending a malicious email with an XML attachment and CSS import to exfiltrate the UID of the attachment, enabling XSS execution.

Description

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Exploits (3)

nomisec WORKING POC 2 stars
by victoni · poc
https://github.com/victoni/Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC

This repository contains a functional proof-of-concept for exploiting CVE-2024-42008 (XSS via malicious XML attachment) and CVE-2024-42010 (HTML exfiltration via CSS injection) in Roundcube Webmail. The exploit chain involves sending a malicious email with an XML attachment and CSS import to exfiltrate the UID of the attachment, enabling XSS execution.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail
No auth needed
Prerequisites: Ability to send emails to the target Roundcube instance · Hosting a JavaScript server on a domain starting with 'a'
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by rpgsec · poc
https://github.com/rpgsec/Roundcube-CVE-2024-42008-POC

This repository contains a functional exploit for CVE-2024-42008, a Cross-Site Scripting (XSS) vulnerability in RoundCube webmail. The exploit leverages CSS animation properties to bypass content filters and execute arbitrary JavaScript in the context of the webmail application.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: RoundCube webmail ≤ 1.5.7, 1.6.x ≤ 1.6.7
No auth needed
Prerequisites: Access to a vulnerable RoundCube instance · Ability to send emails to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Foxer131 · poc
https://github.com/Foxer131/CVE-2024-42008-9-exploit

This repository contains a functional exploit for CVE-2024-42008 and CVE-2024-42009, targeting Roundcube 1.6.7. The exploit leverages XSS to exfiltrate email contents via a crafted payload delivered through a contact form.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Roundcube 1.6.7
No auth needed
Prerequisites: Victim interaction with a malicious email · Attacker-controlled server to receive exfiltrated data
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.3
EPSS 0.3245
EPSS Percentile 98.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
roundcube/webmail < 1.5.8
Published Aug 05, 2024
Tracked Since Feb 18, 2026