Roundcube

Webmail

82 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.2

CVE-2026-35545

  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 04:02:06
  • Zuletzt bearbeitet 07.04.2026 20:37:57

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate...

5.3

CVE-2026-35544

  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 03:59:49
  • Zuletzt bearbeitet 09.04.2026 01:09:00

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

5.3

CVE-2026-35543

  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 03:57:06
  • Zuletzt bearbeitet 07.04.2026 20:40:11

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

5.3

CVE-2026-35542

  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 03:54:18
  • Zuletzt bearbeitet 07.04.2026 20:41:01

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-cont...

4.2

CVE-2026-35541

  • EPSS 0.04%
  • Veröffentlicht 03.04.2026 03:50:47
  • Zuletzt bearbeitet 07.04.2026 20:45:56

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

6.5

CVE-2026-35540

  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 03:47:51
  • Zuletzt bearbeitet 07.04.2026 20:52:15

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

6.1

CVE-2026-35539

  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 03:39:17
  • Zuletzt bearbeitet 07.04.2026 20:53:07

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

3.1

CVE-2026-35538

  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 03:35:36
  • Zuletzt bearbeitet 07.04.2026 20:54:28

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

7.5

CVE-2026-35537

  • EPSS 0.03%
  • Veröffentlicht 03.04.2026 03:28:29
  • Zuletzt bearbeitet 13.04.2026 17:54:32

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

4.7

CVE-2026-26079

  • EPSS 0.09%
  • Veröffentlicht 11.02.2026 04:27:24
  • Zuletzt bearbeitet 15.04.2026 00:35:42

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.