CVSS: 9.9EPSS: 76%CPEs: 2EXPL: 9CVE-2025-49113 – Roundcube 1.6.10 - Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-49113
02 Jun 2025 — Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Roundcube Webmail versions prior to 1.5.10 and versions 1.6.x prior to 1.6.11 allow remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP object deserialization. An attack... • https://packetstorm.news/files/id/200786 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 1CVE-2024-42010 – Debian Security Advisory 5743-1
https://notcve.org/view.php?id=CVE-2024-42010
05 Aug 2024 — mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. Multiple cross-site scripting vulnerabilities were discov... • https://github.com/victoni/Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 4%CPEs: 5EXPL: 3CVE-2024-42008 – Debian Security Advisory 5743-1
https://notcve.org/view.php?id=CVE-2024-42008
05 Aug 2024 — A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail. • https://packetstorm.news/files/id/195349 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 88%CPEs: 5EXPL: 5CVE-2024-42009 – RoundCube Webmail Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2024-42009
05 Aug 2024 — A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail. RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a craft... • https://packetstorm.news/files/id/195349 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 0CVE-2024-37385
https://notcve.org/view.php?id=CVE-2024-37385
07 Jun 2024 — Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 en Windows permite la inyección de comandos a través de im_convert_path e im_identify_path. NOTA: este problema existe debido a una solución incompleta para CVE-2020-12641. • https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c0590fec7015d35d7f • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.4EPSS: 72%CPEs: 3EXPL: 4CVE-2024-37383 – RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2024-37383
07 Jun 2024 — Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 permite XSS a través de atributos animados SVG. Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. • https://packetstorm.news/files/id/182334 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37384 – Ubuntu Security Notice USN-6848-1
https://notcve.org/view.php?id=CVE-2024-37384
07 Jun 2024 — Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 permite XSS a través de columnas de lista de las preferencias del usuario. Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 2... • https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-47272 – Ubuntu Security Notice USN-6848-1
https://notcve.org/view.php?id=CVE-2023-47272
05 Nov 2023 — Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). Roundcube 1.5.x anterior a 1.5.6 y 1.6.x anterior a 1.6.5 permite XSS a través de un encabezado Content-Type o Content-Disposition (utilizado para la vista previa o descarga de archivos adjuntos). Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbit... • https://github.com/roundcube/roundcubemail/commit/5ec496885e18ec6af956e8c0d627856c2257ba2d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 91%CPEs: 7EXPL: 2CVE-2023-5631 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-5631
18 Oct 2023 — Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. Roundcube anterior a 1.4.15, 1.5.x anterior a 1.5.5 y 1.6.x anterior a 1.6.4 permiten almacenar XSS a través de un mensaje de correo electrónico HTML con un documento SVG manipulado debido al comportamiento de program/lib/Roundcube/rcube_wa... • https://github.com/soreta2/CVE-2023-5631-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 75%CPEs: 4EXPL: 3CVE-2023-43770 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-43770
22 Sep 2023 — Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. Roundcube anterior a 1.4.14, 1.5.x anterior a 1.5.4 y 1.6.x anterior a 1.6.3 permiten XSS a través de mensajes de texto/correo electrónico plano con enlaces manipuados debido al comportamiento de program/lib/Roundcube/rcube_string_replacer.php. It was discovered that Roundcube Webmail incorrectly sanitized charac... • https://github.com/s3cb0y/CVE-2023-43770-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •