CVE-2025-68461

HIGH KEV

Roundcube Webmail < 1.5.12 - XSS

Title source: rule

Description

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

Exploits (2)

nomisec SCANNER 16 stars
by rxerium · poc
https://github.com/rxerium/CVE-2025-68461
nomisec SCANNER 4 stars
by gotr00t0day · poc
https://github.com/gotr00t0day/CVE-2025-68461

References (3)

Scores

CVSS v3 7.2
EPSS 0.0852
EPSS Percentile 92.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

CISA KEV 2026-02-20
VulnCheck KEV 2026-02-20
ENISA EUVD EUVD-2025-204035
CWE
CWE-79
Status published
Products (1)
roundcube/webmail < 1.5.12
Published Dec 18, 2025
KEV Added Feb 20, 2026
Tracked Since Feb 18, 2026