Roundcube Webmail versions prior to 1.5.14 and 1.6.14 allow a malicious user to inject JavaScript by delivering an HTML attachment that the webmail interface will preview without proper sanitization. When a victim opens the preview, the embedded script runs in the victim’s browser context, enabling the attacker to steal session cookies, deface the interface, or otherwise compromise the user’s browser session. This weakness maps to CWE‑79, an injection flaw that allows arbitrary client‑side code execution.

All installations of Roundcube Webmail that are running software versions older than 1.5.14 and 1.6.14 are affected. Users who have not upgraded to the patched releases introduced in the 1.5.14, 1.6.14, or later 1.7‑rc5 releases are at risk. The vulnerability applies to any deployment where the webmail client can render HTML attachments in preview mode.

The CVSS score of 6.1 indicates a moderate severity impact on confidentiality and integrity. The EPSS score of less than 1% suggests that exploitation of this flaw is unlikely to be broadly observed in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed active exploits as of the data snapshot. The likely attack vector is client‑side: the attacker must embed malicious content in an email attachment and persuade, or trick, a user to preview the attachment; once the preview is rendered, the script will execute within the victim’s browser.