CVE-2026-48849

MEDIUM

Roundcube Webmail - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Title source: rule

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-48849. PoCs published by AnandJogawade.

AI-analyzed exploit summary The repository contains a technical writeup and proof-of-concept images demonstrating a stored XSS vulnerability in Roundcube Webmail (CVE-2026-48849). The README and images provide details on how the vulnerability can be exploited, but no functional exploit code is included.

Description

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

Exploits (2)

github WRITEUP

by AnandJogawade · poc

https://github.com/AnandJogawade/CVE-2026-48849-Roundcube-Webmail-Stored-XSS

View Code ZIP pw:eip

The repository contains a technical writeup and proof-of-concept images demonstrating a stored XSS vulnerability in Roundcube Webmail (CVE-2026-48849). The README and images provide details on how the vulnerability can be exploited, but no functional exploit code is included.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Roundcube Webmail

Auth required

Prerequisites: Access to Roundcube Webmail instance · Valid user credentials

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 15, 2026 Full analysis →

nomisec WRITEUP