Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
Published: 2026-04-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via Remote HTML Attachment Preview
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a reflected cross‑site scripting flaw caused by insufficient sanitization of HTML attachments in the preview mode of Roundcube Webmail. When a user previews a text/html attachment, the unsanitized content can execute arbitrary JavaScript in the victim's browser. The attacker could inject scripts to steal session cookies, perform phishing, or deliver malware, compromising the confidentiality and integrity of the victim's session.

Affected Systems

All installations of Roundcube Webmail using versions older than 1.5.14 or 1.6.14 are affected. This includes every deployment that has not yet upgraded to those or newer releases.

Risk and Exploitability

The CVSS score of 6.1 places this at medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires that a victim open or preview a malicious text/html attachment, which is a user‑initiated but easily induced activity. Because the exploit is client‑side, it can be triggered by any user who receives a malicious attachment, potentially leading to widespread phishing or credential theft.

Generated by OpenCVE AI on April 3, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Roundcube to version 1.5.14, 1.6.14, or newer releases (1.7-rc5 and beyond).
  • If immediate upgrade is not possible, disable the HTML attachment preview feature in the Roundcube configuration to prevent users from previewing potentially malicious content.
  • Avoid opening or installing unexpected HTML attachments, and validate attachment contents before previewing.

Generated by OpenCVE AI on April 3, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x4q5-8j5g-hpjc Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode
History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Previewing HTML Attachments in Roundcube
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T13:10:55.717Z

Reserved: 2026-04-03T03:39:16.997Z

Link: CVE-2026-35539

cve-icon Vulnrichment

Updated: 2026-04-03T13:10:52.287Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T05:16:21.920

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:55Z

Weaknesses