7.2

CVE-2025-68461

Warnung
Medienbericht
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RoundcubeWebmail Version < 1.5.12
RoundcubeWebmail Version >= 1.6.0 < 1.6.12
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login

20.02.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

RoundCube Webmail Cross-site Scripting Vulnerability

Schwachstelle

RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.81% 0.896
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cve@mitre.org 7.2 3.9 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.