CVE-2025-68461

High KEV CVSS: 7.2

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

Vendor

Product

CWE

Yayın Tarihi

2025-12-18 05:15:56

Güncelleme

2026-02-23 13:24:12

Source Identifier

cve@mitre.org

KEV Date Added

2026-02-20

CWE-79 Webmail HIGH Roundcube 2025

https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68461

Medium

CVE-2026-35540

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization…

Medium

CVE-2026-35541

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plu…

Medium

CVE-2026-35542

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed…

Medium

CVE-2026-35543

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed…

Medium

CVE-2026-35545

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed…

Low

CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could l…