Description
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Published: 2026-02-11
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via CSS injection
Action: Patch
AI Analysis

Impact

Roundcube Webmail contains a bug that allows attackers to inject arbitrary Cascading Style Sheets through mishandled comments. The flaw can be used to alter the appearance of mail messages, overlay malicious content, or create phishing interfaces without needing to execute JavaScript. This is reflected in CWE‑79 (XSS) and CWE‑829 (permissions mismatch) and may compromise user interaction and trust in the webmail client.

Affected Systems

Roundcube Webmail versions before 1.5.13 and before 1.6.13 deployed by Roundcube:Webmail are affected. The bug exists in all affected releases regardless of installation base and can impact any instance where user‑generated content is rendered.

Risk and Exploitability

The vulnerability has a CVSS score of 4.7, indicating moderate severity. The EPSS score is less than 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation activity to date. Attackers would likely need to inject malicious CSS into a user’s mailbox or a public page in the webmail interface, typically requiring the victim to view the crafted content. The availability of an easy remediation path reduces the overall risk for organizations that apply the update in a timely manner.

Generated by OpenCVE AI on April 17, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube Webmail to version 1.5.13 or later 1.6.13.
  • If an upgrade cannot be performed immediately, block or sanitize user input that could be interpreted as CSS comments or styles, preventing malformed comments from reaching the output.
  • Configure a Content Security Policy that restricts the use of inline styles and disallows user‑supplied CSS.
  • Review plugins and extensions for potential comment injection vectors and disable any that are unnecessary.

Generated by OpenCVE AI on April 17, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4480-1 roundcube security update
Debian DSA Debian DSA DSA-6137-1 roundcube security update
History

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 11 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
First Time appeared Roundcube
Roundcube webmail
Weaknesses CWE-829
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Vendors & Products Roundcube
Roundcube webmail
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-11T16:06:28.336Z

Reserved: 2026-02-11T04:27:24.001Z

Link: CVE-2026-26079

cve-icon Vulnrichment

Updated: 2026-02-11T16:06:12.910Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T05:16:28.650

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26079

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-11T04:27:24Z

Links: CVE-2026-26079 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses