threat
engine
.sh
Back
·
··:··
Home
/
Product
/
roundcube webmail
Product
roundcube webmail
120 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-35391
< 1.4.11
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin
7.5
HIGH
CVE-2026-35390
< 1.4.11
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Co
5.4
MEDIUM
CVE-2026-35389
< 1.4.11
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not v
7.5
HIGH
CVE-2026-35545
< 1.5.15
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG c
5.3
MEDIUM
CVE-2026-35544
<= 1.5.13
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in H
5.3
MEDIUM
CVE-2026-35543
< 1.5.14
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG c
5.3
MEDIUM
CVE-2026-35542
< 1.5.14
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a cra
5.3
MEDIUM
CVE-2026-35541
< 1.5.14
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could
4.2
MEDIUM
CVE-2026-35540
>= 1.6.0 and < 1.6.14
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e
5.4
MEDIUM
CVE-2026-35539
< 1.5.14
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitiza
6.1
MEDIUM
CVE-2026-35538
< 1.5.14
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMA
3.1
LOW
CVE-2026-35537
< 1.5.14
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handle
3.7
LOW
CVE-2026-34834
< 1.4.10
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function c
7.5
HIGH
CVE-2026-34833
< 1.4.10
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpo
7.5
HIGH
CVE-2025-68461
< 1.5.12
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag i
7.2
HIGH
CVE-2025-68460
< 1.5.12
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitiz
7.2
HIGH
CVE-2025-49113
< 1.5.10
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from para
9.9
CRITICAL
CVE-2024-57004
all versions
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file a
6.1
MEDIUM
CVE-2024-42009
< 1.5.8
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send
9.3
CRITICAL
CVE-2024-42008
< 1.5.8
A Cross-Site Scripting vulnerability in rcmail_action_mail_get-run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a r
9.3
CRITICAL
CVE-2024-37385
< 1.5.7
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path
9.8
CRITICAL
CVE-2024-37384
< 1.5.7
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
6.1
MEDIUM
CVE-2024-37383
< 1.5.7
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
6.1
MEDIUM
CVE-2023-47272
>= 1.5.0 and < 1.5.6
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachme
6.1
MEDIUM
CVE-2023-5631
< 1.4.15
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SV
6.1
MEDIUM
CVE-2023-43770
< 1.4.14
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links b
6.1
MEDIUM
CVE-2022-29360
<= 1.16.0
The Email Viewer in RainLoop through 1.6.0 allows XSS via a crafted email message.
5.4
MEDIUM
CVE-2021-44026
< 1.3.17
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
9.8
CRITICAL
CVE-2021-44025
< 1.3.17
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a M
6.1
MEDIUM
CVE-2020-18671
<= 1.4.4
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
5.4
MEDIUM
CVE-2020-18670
all versions
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
5.4
MEDIUM
CVE-2021-26925
< 1.4.11
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
5.4
MEDIUM
CVE-2020-35730
< 1.2.13
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can sen
6.1
MEDIUM
CVE-2020-16145
< 1.3.15
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. Th
6.1
MEDIUM
CVE-2020-15562
< 1.2.11
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a craft
6.1
MEDIUM
CVE-2020-13965
< 1.3.12
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment bec
6.1
MEDIUM
CVE-2020-13964
< 1.3.12
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via t
6.1
MEDIUM
CVE-2020-12641
>= 1.2.0 and < 1.2.10
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configu
9.8
CRITICAL
CVE-2020-12640
>= 1.2.0 and < 1.2.10
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name t
9.8
CRITICAL
CVE-2020-12626
< 1.4.4
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because
6.5
MEDIUM
CVE-2020-12625
< 1.4.4
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.ph
6.1
MEDIUM
CVE-2019-13389
< 1.13.0
RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the
6.1
MEDIUM
CVE-2019-15237
<= 1.3.9
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
7.4
HIGH
CVE-2019-10740
< 1.3.10
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within
4.3
MEDIUM
CVE-2018-19206
< 1.3.8
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a
6.1
MEDIUM
CVE-2018-19205
< 1.3.7
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive
7.5
HIGH
CVE-2017-17688
all versions
The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exf
5.9
MEDIUM
CVE-2018-9846
>= 1.2.0 and <= 1.3.5
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitize
8.8
HIGH
CVE-2018-1000071
<= 1.3.4
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltratio
7.5
HIGH
CVE-2017-16651
<= 1.1.9
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the h
7.8
HIGH
CVE-2017-14597
all versions
AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the txtDomainName field to adminpanel/modules/pro/inc/ajax.php d
4.8
MEDIUM
CVE-2015-5383
all versions
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (
7.5
HIGH
CVE-2015-5382
all versions
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to
6.5
MEDIUM
CVE-2015-5381
all versions
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attac
6.1
MEDIUM
CVE-2017-8114
< 1.0.11
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9
8.8
HIGH
CVE-2016-4068
<= 1.0.8
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to injec
6.1
MEDIUM
CVE-2015-8864
<= 1.0.8
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to injec
6.1
MEDIUM
CVE-2017-6820
<= 1.1.7
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a craf
6.1
MEDIUM
CVE-2015-2181
< 1.1.0
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have uns
8.8
HIGH
CVE-2015-2180
<= 1.1
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell
8.8
HIGH
CVE-2016-4552
all versions
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script
6.1
MEDIUM
CVE-2016-9920
<= 1.1.6
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail progr
7.5
HIGH
CVE-2016-4069
<= 1.1.4
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentica
8.8
HIGH
CVE-2015-8793
<= 1.0.5
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows rem
6.1
MEDIUM
CVE-2015-8105
<= 1.0.6
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remo
CVE-2015-1433
<= 1.0.4
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers t
CVE-2014-9587
<= 1.0.3
Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the
CVE-2013-1904
<= 0.7.2
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows r
CVE-2013-6172
<= 0.8.6
steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration
CVE-2013-5646
all versions
Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web sc
CVE-2013-5645
<= 0.9.2
Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inje
CVE-2012-6121
<= 0.8.4
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script
CVE-2012-4668
<= 0.8.1
Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web sc
CVE-2012-3508
all versions
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject a
CVE-2012-3507
<= 0.7.3
Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry sk
CVE-2012-1253
<= 0.6
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers
CVE-2011-4078
<= 0.5.4
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a G
CVE-2010-4930
<= 6.1.9
Cross-site scripting (XSS) vulnerability in index.php in @mail Webmail before 6.2.0 allows remote attackers to inject arbitrary we
CVE-2011-2937
<= 0.5.3
Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attacker
CVE-2011-1492
<= 0.5
steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an ext
CVE-2011-1491
<= 0.5
The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt,
CVE-2010-0464
<= 0.3.1
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messag
CVE-2009-4077
<= 0.2.2
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authe
CVE-2009-4076
<= 0.2.2
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authe
CVE-2009-0413
all versions
Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitra
CVE-2008-5620
<= 0.2
RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via cr
CVE-2008-5619
all versions
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alp
CVE-2008-1055
<= 3.1s
Format string vulnerability in webmail.exe in NetWin SurgeMail 38k4 and earlier and beta 39a, and WebMail 3.1s and earlier, allows
CVE-2008-0210
all versions
Uebimiau Webmail 2.7.10 and 2.7.2 does not protect authentication state variables from being set through HTTP requests, which allo
CVE-2008-0140
all versions
Directory traversal vulnerability in error.php in Uebimiau Webmail 2.7.10 and 2.7.2 allows remote authenticated users to read arbi
CVE-2007-6321
<= 0.1
Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explor
CVE-2007-2655
all versions
Unspecified vulnerability in NetWin Webmail 3.1s-1 in SurgeMail before 3.8i2 has unknown impact and remote attack vectors, possibl
CVE-2006-0818
all versions
Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and
CVE-2006-0817
all versions
Absolute path directory traversal vulnerability in (a) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and
CVE-2006-2484
all versions
Cross-site scripting (XSS) vulnerability in index.html in IceWarp WebMail 5.5.1 and earlier allows remote attackers to inject arbi
CVE-2005-4559
all versions
mail/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, d
CVE-2005-4558
all versions
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly rest
CVE-2005-4557
all versions
dir/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, al
CVE-2005-4556
all versions
PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server vers
CVE-2005-4368
all versions
roundcube webmail Alpha, with a default high verbose level ($rcmail_config['debug_level'] = 1), allows remote attackers to obtain
CVE-2005-3133
all versions
Multiple directory traversal vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier version
CVE-2005-3132
all versions
MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to obtain sensitive i
CVE-2005-3131
all versions
Multiple cross-site scripting (XSS) vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier
CVE-2005-1491
all versions
Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote authenticated users to (1) move their home directory via viewact
CVE-2005-1490
all versions
Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2, when the mailbox.dat file does not exist, allows remote authenticated users t
CVE-2005-1489
all versions
Unknown vulnerability in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote authenticated users to obtain the full
CVE-2005-1488
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allow remote authentica
CVE-2005-0322
all versions
MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 and Mail Server 7.6.4r with Icewarp Mail Server 5.3.2 uses weak encryption in
CVE-2005-0321
all versions
MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote authenticated users to gain sensitive information via an HTTP re
CVE-2005-0320
all versions
Multiple cross-site scripting vulnerabilities in MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allow remote attackers to inj
CVE-2004-2548
all versions
Multiple cross-site scripting (XSS) vulnerabilities in NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attackers to
CVE-2004-2547
all versions
NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attackers to obtain sensitive information via HTTP requests that (a)
CVE-2004-1674
all versions
viewaction.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to (1)
CVE-2004-1673
all versions
accountsettings_add.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allow remote attackers
CVE-2004-1672
all versions
attachment.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to view
CVE-2004-1671
all versions
Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to gain sensitive informat
CVE-2004-1670
all versions
Multiple directory traversal vulnerabilities Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7, and possibly other versions, all
CVE-2004-1669
all versions
Cross-site scripting (XSS) vulnerability in MERAK Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows
CVE-2002-1899
all versions
Cross-site scripting (XSS) vulnerability in IceWarp Web Mail 3.3.3 and 3.4.5 allows remote attackers to inject arbitrary web scrip
CVE-2002-0258
all versions
Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin