Cross-site scripting in Roundcube Webmail - CVE-2026-54433
Published: July 5, 2026
Roundcube Webmail
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary script code in a user's browser.
The vulnerability exists due to cross-site scripting in the plain-text rendering component when rendering plain-text content. A remote attacker can send a specially crafted email to execute arbitrary script code in a user's browser.
No user interaction is required beyond viewing the affected content.