Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
Published: 2026-05-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roundcube Webmail versions prior to 1.6.16 and 1.7 contain insufficient HTML sanitization that allows attackers to inject CSS through an SVG document that contains an animate element with an attributeName attribute. This flaw can lead to cross‑site scripting or other style‑based attacks when a victim views or interacts with a maliciously crafted SVG, jeopardizing the confidentiality and integrity of user sessions. Based on the description, it is inferred that the attacker could trigger script execution.

Affected Systems

The vulnerability affects the Roundcube Webmail product. Versions 1.6.x before 1.6.16 and 1.7.x before 1.7 are impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity risk. No EPSS data is available, so the exploitation likelihood is uncertain, and the issue is not listed in the CISA KEV catalog. Since Roundcube processes user‑supplied HTML content, an attacker could potentially exploit this flaw via any authenticated or unauthenticated request that accepts HTML, such as composing emails, editing contact details, or attaching SVG files. The resulting CSS injection could execute JavaScript in the victim's browser, enabling credential theft or session hijacking. Based on the description, it is inferred that the attacker could trigger script execution.

Generated by OpenCVE AI on May 25, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Roundcube to version 1.6.16 or newer, or 1.7.1 or newer, to apply the vendor’s fix for insufficient HTML sanitization.
  • If an update cannot be applied immediately, configure the webmail to strip SVG elements or the animate element with attributeName from any user‑supplied content; alternatively disable SVG support altogether.
  • Implement a Content Security Policy that blocks execution of scripts and restricts CSS styles from untrusted sources.

Generated by OpenCVE AI on May 25, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4604-1 roundcube security update
Debian DSA Debian DSA DSA-6301-1 roundcube security update
History

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title CSS Injection via SVG in Roundcube Webmail

Mon, 25 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
First Time appeared Roundcube
Roundcube webmail
Weaknesses CWE-79
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Vendors & Products Roundcube
Roundcube webmail
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T13:00:52.631Z

Reserved: 2026-05-25T19:27:54.328Z

Link: CVE-2026-48848

cve-icon Vulnrichment

Updated: 2026-05-26T13:00:41.472Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T20:16:37.413

Modified: 2026-05-26T19:26:42.643

Link: CVE-2026-48848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T21:00:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')