CVE-2026-48848

HIGH

Roundcube Webmail - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Title source: rule

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

References (5)

Core 5

Core References

https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27

View Patch ZIP pw:eip

https://github.com/roundcube/roundcubemail/releases/tag/1.6.16

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

https://github.com/roundcube/roundcubemail/releases/tag/1.7.1

https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9

View Patch ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0034

EPSS Percentile 25.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

Roundcube/Webmail 1.6.0 - 1.6.16

Roundcube/Webmail 1.7.0 - 1.7.1

Published May 25, 2026

Tracked Since May 26, 2026