Stored cross-site scripting in Roundcube Webmail - #VU124142
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124142
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Roundcube
Affected software:
Roundcube Webmail
Roundcube Webmail
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript via a malicious HTML attachment preview.
The vulnerability exists due to improper input validation in HTML attachment preview component when rendering HTML attachments. A remote attacker can send a specially crafted HTML file as an attachment which, when previewed, executes arbitrary scripts in the context of the user's session.
User interaction is required to trigger the preview, but no additional authentication or privileges are needed once the attachment is opened.
Remediation
Install security update from vendor's website.