CVE-2026-9818
- EPSS -
- Veröffentlicht 28.05.2026 12:16:05
- Zuletzt bearbeitet 28.05.2026 17:16:36
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-48849
- EPSS 0.24%
- Veröffentlicht 25.05.2026 19:30:38
- Zuletzt bearbeitet 26.05.2026 19:26:42
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
CVE-2026-48848
- EPSS 0.39%
- Veröffentlicht 25.05.2026 19:27:54
- Zuletzt bearbeitet 26.05.2026 19:26:42
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
CVE-2026-48847
- EPSS 0.43%
- Veröffentlicht 25.05.2026 19:23:40
- Zuletzt bearbeitet 26.05.2026 19:26:42
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
CVE-2026-48846
- EPSS 0.34%
- Veröffentlicht 25.05.2026 19:21:09
- Zuletzt bearbeitet 26.05.2026 19:26:42
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
CVE-2026-48845
- EPSS 0.32%
- Veröffentlicht 25.05.2026 19:18:09
- Zuletzt bearbeitet 26.05.2026 19:26:42
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email...
CVE-2026-48844
- EPSS 0.41%
- Veröffentlicht 25.05.2026 19:14:48
- Zuletzt bearbeitet 26.05.2026 19:26:42
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
CVE-2026-48843
- EPSS 0.3%
- Veröffentlicht 25.05.2026 19:11:04
- Zuletzt bearbeitet 26.05.2026 19:26:42
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network h...
CVE-2026-48842
- EPSS 0.76%
- Veröffentlicht 25.05.2026 19:06:37
- Zuletzt bearbeitet 03.06.2026 22:16:34
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
CVE-2026-35545
- EPSS 0.33%
- Veröffentlicht 03.04.2026 04:02:06
- Zuletzt bearbeitet 07.04.2026 20:37:57
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate...