Shodan
Vulnerabilities
Vulnerable Software
Roundcube:  Security Vulnerabilities
CVE-2025-68461
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-12-18
CVE-2025-68460
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-12-18
CVE-2025-49113
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
CVSS Score
9.9
EPSS Score
0.918
Published
2025-06-02
CVE-2024-57004
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
CVSS Score
6.1
EPSS Score
0.002
Published
2025-02-03
CVE-2024-42008
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
CVSS Score
9.3
EPSS Score
0.586
Published
2024-08-05
CVE-2024-42009
Known exploited
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
CVSS Score
9.3
EPSS Score
0.904
Published
2024-08-05
CVE-2024-37383
Known exploited
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
CVSS Score
6.1
EPSS Score
0.664
Published
2024-06-07
CVE-2024-37384
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-06-07
CVE-2024-37385
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
CVSS Score
9.8
EPSS Score
0.011
Published
2024-06-07
CVE-2023-47272
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
CVSS Score
6.1
EPSS Score
0.006
Published
2023-11-06


Products
Pricing
Contact Us

Shodan ® - All rights reserved