CVE-2024-42009

CRITICAL KEV NUCLEI LAB

Roundcube Webmail < 1.5.8 - XSS

Title source: rule

Description

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Exploits (6)

nomisec WORKING POC 7 stars
by DaniTheHack3r · client-side
https://github.com/DaniTheHack3r/CVE-2024-42009-PoC
nomisec WORKING POC 4 stars
by 0xbassiouny1337 · client-side
https://github.com/0xbassiouny1337/CVE-2024-42009
nomisec WORKING POC 1 stars
by ZaidArif47 · remote
https://github.com/ZaidArif47/CVE-2024-42009
nomisec WORKING POC 1 stars
by Bhanunamikaze · client-side
https://github.com/Bhanunamikaze/CVE-2024-42009
nomisec WORKING POC
by Shubhankargupta691 · poc
https://github.com/Shubhankargupta691/CVE-2024-42009
github WORKING POC
by Foxer131 · pythonclient-side
https://github.com/Foxer131/CVE-2024-42008-9-exploit

Nuclei Templates (1)

Roundcube Webmail - Cross-Site Scripting
CRITICALVERIFIEDby rxerium
Shodan: cpe:"cpe:2.3:a:roundcube:webmail"
FOFA: roundcube_sessid

References (6)

Scores

CVSS v3 9.3
EPSS 0.9116
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull roundcube/roundcubemail:1.6.7-fpm
docker pull ghcr.io/docker-mailserver/docker-mailserver:latest
docker pull roundcube/roundcubemail:1.6.7-apache
+3 more repos

Details

CISA KEV 2025-06-09
VulnCheck KEV 2025-06-05
ENISA EUVD EUVD-2024-39391
CWE
CWE-79
Status published
Products (1)
roundcube/webmail < 1.5.8
Published Aug 05, 2024
KEV Added Jun 09, 2025
Tracked Since Feb 18, 2026