Description
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
Published: 2026-05-25
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roundcube Webmail versions prior to 1.6.16 and 1.7.1 allow an attacker to inject malicious HTML or CSS into the "subject" field of an email draft that is later restored to a shared mailbox. The injected code is persisted in the mailbox view, and when any user opens the message they may execute arbitrary scripts within that browser context. This stored XSS has the potential to steal session cookies, deface the UI, or perform privileged actions on behalf of the victim. The flaw originates from a lack of proper sanitization (CWE‑79).

Affected Systems

Roundcube Webmail 1.6.x releases before 1.6.16 and 1.7.x releases before 1.7.1. The vulnerability is limited to installations that permit shared mailboxes where draft messages can be stored and later retrieved by other users.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate impact, but the lack of a publicly available EPSS score and absence from the KEV catalog suggest a limited exploitation probability under current conditions. Exploitation requires an attacker to create a malicious draft in a shared mailbox, which can be achieved by any authenticated user with write access to that mailbox. Once the draft is restored, the stored payload is delivered to all mailbox viewers, enabling widespread XSS across that shared environment.

Generated by OpenCVE AI on May 25, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Roundcube 1.6.16 update or 1.7.1 release that includes input sanitization for the subject field
  • Disable or restrict access to shared mailboxes until the patch is applied
  • Audit current mailboxes for legacy drafts that may contain unsanitized subjects and remove them manually

Generated by OpenCVE AI on May 25, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Stored XSS via Unvalidated Subject Field in Draft Restoration for Roundcube Webmail

Mon, 25 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
First Time appeared Roundcube
Roundcube webmail
Weaknesses CWE-79
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Vendors & Products Roundcube
Roundcube webmail
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T13:01:11.210Z

Reserved: 2026-05-25T19:30:37.961Z

Link: CVE-2026-48849

cve-icon Vulnrichment

Updated: 2026-05-26T13:01:08.590Z

cve-icon NVD

Status : Received

Published: 2026-05-25T20:16:37.540

Modified: 2026-05-25T20:16:37.540

Link: CVE-2026-48849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T22:00:12Z

Weaknesses