CVE-2026-25916

MEDIUM

Roundcube Webmail <1.5.13 & <1.6.13 - XSS

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-25916. PoCs published by XiaomingX, mbanyamer.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes automated data extraction for admin credentials and hashes.

Description

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25916

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes automated data extraction for admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by mbanyamer · poc

https://github.com/mbanyamer/CVE-2026-25916-Roundcube-Webmail-DOM-based-XSS-Exploit-via-SVG-href-Attribute

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-25916, a DOM-based XSS vulnerability in Roundcube Webmail versions before 1.6.9. The exploit leverages improperly sanitized SVG href attributes to execute JavaScript payloads via crafted emails.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Roundcube Webmail < 1.6.9

No auth needed

Prerequisites: SMTP access to send emails · Victim interaction (opening the email)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://news.ycombinator.com/item?id=46937012

Various Sources

https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/

Patch

https://github.com/roundcube/roundcubemail/commit/26d7677

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0063

EPSS Percentile 45.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-420

Status published

Products (2)

Roundcube/Webmail < 1.5.13

Roundcube/Webmail 1.6.0 - 1.6.13

Published Feb 09, 2026

Tracked Since Feb 18, 2026