CVE-2024-42009

CRITICAL KEV NUCLEI LAB

Roundcube Webmail <= 1.5.7 and 1.6.x <= 1.6.7 - Cross-Site Scripting via Desanitization in message_body()

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-42009 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 9, 2025. EIP tracks 6 public exploits from researchers including DaniTheHack3r, 0xbassiouny1337, ZaidArif47. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail. The exploit demonstrates how an attacker can inject malicious JavaScript into an email message to exfiltrate email content from a victim's inbox.

Description

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Exploits (6)

nomisec WORKING POC 7 stars
by DaniTheHack3r · client-side
https://github.com/DaniTheHack3r/CVE-2024-42009-PoC

This repository contains a functional proof-of-concept exploit for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail. The exploit demonstrates how an attacker can inject malicious JavaScript into an email message to exfiltrate email content from a victim's inbox.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail version 1.6.7 and other several versions
No auth needed
Prerequisites: Victim must open the malicious message · Target URL and recipient email address · Listener host and port for exfiltration
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by 0xbassiouny1337 · client-side
https://github.com/0xbassiouny1337/CVE-2024-42009

This repository contains a functional Python exploit for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail 1.6.7. The exploit injects a malicious payload via a contact form, which exfiltrates email content to an attacker-controlled server.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail 1.6.7
No auth needed
Prerequisites: Access to a vulnerable Roundcube Webmail instance · Ability to send a crafted contact form submission
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ZaidArif47 · remote
https://github.com/ZaidArif47/CVE-2024-42009

This repository provides a functional Docker-based PoC for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail. It includes a pre-configured environment and a crafted email payload to demonstrate the exploit.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail ≤ 1.5.7, ≤ 1.6.7
Auth required
Prerequisites: Docker · swaks tool · vulnerable Roundcube instance
devstral-2 · analyzed Apr 17, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Bhanunamikaze · client-side
https://github.com/Bhanunamikaze/CVE-2024-42009

This repository contains a functional PoC for CVE-2024-42009, demonstrating an XSS vulnerability in a webmail application to exfiltrate email content via a crafted payload and HTTP listener.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Unspecified webmail application
No auth needed
Prerequisites: Python 3.x · requests · beautifulsoup4 · target webmail URL · attacker-controlled server IP/port
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Shubhankargupta691 · poc
https://github.com/Shubhankargupta691/CVE-2024-42009

The repository contains functional Nuclei templates for detecting and exploiting CVE-2024-42009, a reflected XSS vulnerability in Roundcube Webmail. The templates include OOB (Out-of-Band) and direct injection methods to verify the vulnerability.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail (versions 1.5.x up to 1.5.7, 1.6.x up to 1.6.7)
No auth needed
Prerequisites: Access to the Roundcube Webmail interface · Ability to send crafted HTTP requests
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by Foxer131 · pythonclient-side
https://github.com/Foxer131/CVE-2024-42008-9-exploit

This repository contains a functional exploit for CVE-2024-42008 and CVE-2024-42009, targeting Roundcube 1.6.7. The exploit leverages XSS to exfiltrate email contents via a crafted payload delivered through a contact form.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Roundcube 1.6.7
No auth needed
Prerequisites: Attacker-controlled server to receive exfiltrated data · Victim interaction to trigger the XSS payload
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Roundcube Webmail - Cross-Site Scripting
CRITICALVERIFIEDby rxerium
Shodan: cpe:"cpe:2.3:a:roundcube:webmail"
FOFA: roundcube_sessid

References (6)

Core 6

Scores

CVSS v3 9.3
EPSS 0.8296
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull roundcube/roundcubemail:1.6.7-fpm
docker pull ghcr.io/docker-mailserver/docker-mailserver:latest
docker pull roundcube/roundcubemail:1.6.7-apache
+3 more repos

Details

CISA KEV 2025-06-09
VulnCheck KEV 2025-06-05
ENISA EUVD EUVD-2024-39391
CWE
CWE-79
Status published
Products (1)
roundcube/webmail < 1.5.8
Published Aug 05, 2024
KEV Added Jun 09, 2025
Tracked Since Feb 18, 2026