SB2026052501 - Multiple vulnerabilities in Roundcube Webmail

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052501

SB2026052501 - Multiple vulnerabilities in Roundcube Webmail

Published: May 25, 2026

Security Bulletin ID SB2026052501
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 13% Medium 63% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary script or style content.

The vulnerability exists due to stored cross-site scripting in the subject field of the draft restore dialog when rendering restored draft data. A remote user can save a specially crafted draft subject to inject arbitrary script or style content.


2) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary style content.

The vulnerability exists due to improper input validation in the HTML sanitizer when processing SVG animate elements with attributeName="style". A remote attacker can supply specially crafted HTML or SVG content to inject arbitrary style content.


3) SQL injection (CVE-ID: N/A)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Red


The vulnerability allows a remote attacker to execute unauthorized SQL queries.

The vulnerability exists due to SQL injection in the virtuser_query plugin when processing input through preg_replace backslash escape handling. A remote non-authenticated attacker can send specially crafted input to execute unauthorized SQL queries.


4) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to make the application send requests to unintended local addresses.

The vulnerability exists due to improper access control in URL fetching logic when handling specific local address URLs. A remote attacker can supply a specially crafted URL to make the application send requests to unintended local addresses.


5) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to make the application fetch local or private URLs despite restrictions.

The vulnerability exists due to improper access control in remote resource fetching when handling local or private URLs while remote resources are disallowed. A remote attacker can supply a specially crafted URL to make the application fetch local or private URLs despite restrictions.

The issue occurs when remote resources are not allowed.


6) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause remote images to be loaded despite blocking restrictions.

The vulnerability exists due to improper input validation in remote image blocking logic when processing CSS var() constructs. A remote attacker can supply specially crafted content using CSS var() to cause remote images to be loaded despite blocking restrictions.


7) External Control of File Name or Path (CVE-ID: N/A)

CWE-ID: CWE-73 - External Control of File Name or Path

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to delete arbitrary files.

The vulnerability exists due to improper access control in session handling when session data can be poisoned through redis or memcache. A remote non-authenticated attacker can poison session data to delete arbitrary files.


8) Code Injection (CVE-ID: N/A)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to inject and execute arbitrary code.

The vulnerability exists due to code injection in the LDAP autovalues option when evaluating configured values. A remote user can supply crafted values in LDAP autovalues configuration to inject and execute arbitrary code.

Exploitation requires use of the LDAP autovalues option.


Remediation

Install update from vendor's website.

References