Description
In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim's authenticated session simply by opening or previewing the message (zero-click).
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 14 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim's authenticated session simply by opening or previewing the message (zero-click). | |
| First Time appeared |
Roundcube
Roundcube webmail |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Roundcube
Roundcube webmail |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-14T16:18:16.549Z
Reserved: 2026-06-15T13:29:12.505Z
Link: CVE-2026-54433
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T17:30:04Z
Weaknesses
-
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')