Cross-site scripting in Roundcube Webmail - CVE-2026-54432
Published: July 5, 2026
Roundcube Webmail
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in a user's browser.
The vulnerability exists due to cross-site scripting in the attachment-validation warning page when rendering an unescaped attachment mime type. A remote user can store a crafted attachment mime type to execute arbitrary script code in a user's browser.