Security Vulnerabilities
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
CVSS Score
3.1
EPSS Score
0.0
Published
2026-04-03
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-04-03
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
CVSS Score
3.7
EPSS Score
0.0
Published
2026-04-03
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVSS Score
7.2
EPSS Score
0.001
Published
2026-04-03
A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-04-03
Shynet before 0.14.0 allows Host header injection in the password reset flow.
CVSS Score
6.4
EPSS Score
0.0
Published
2026-04-03
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-03
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
CVSS Score
10.0
EPSS Score
0.001
Published
2026-04-03
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
CVSS Score
10.0
EPSS Score
0.001
Published
2026-04-03
Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.
CVSS Score
9.6
EPSS Score
0.0
Published
2026-04-03