Every CVE whose affected-product data names Roundcube Webmail, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (80)
CVE-2008-5619 — CVSS 10.0 (critical): html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and…
CVE-2020-12640 — CVSS 9.8 (critical): Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to…
CVE-2024-37385 — CVSS 9.8 (critical): Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE…
CVE-2024-42008 — CVSS 9.3 (critical): A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote…
CVE-2017-8114 — CVSS 8.8 (high): Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and…
CVE-2015-2181 — CVSS 8.8 (high): Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified…
CVE-2016-4069 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of…
CVE-2015-2180 — CVSS 8.8 (high): The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell…
CVE-2018-9846 — CVSS 8.8 (high): In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized…
CVE-2008-5620 — CVSS 7.8 (high): RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted…
CVE-2016-9920 — CVSS 7.5 (high): steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is…
CVE-2018-19205 — CVSS 7.5 (high): Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive…
CVE-2018-1000071 — CVSS 7.5 (high): roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg…
CVE-2013-6172 — CVSS 7.5 (high): steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings…
CVE-2015-5383 — CVSS 7.5 (high): Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp…
CVE-2019-15237 — CVSS 7.4 (high): Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
CVE-2025-68460 — CVSS 7.2 (high): Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
CVE-2014-9587 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the…
CVE-2009-4077 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication…
CVE-2009-4076 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication…
CVE-2020-12626 — CVSS 6.5 (medium): An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was…
CVE-2015-5382 — CVSS 6.5 (medium): program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read…
CVE-2015-5381 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to…
CVE-2015-8793 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote…
CVE-2015-8864 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject…
CVE-2016-4068 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject…
CVE-2016-4552 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML…
CVE-2017-6820 — CVSS 6.1 (medium): rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted…
CVE-2018-19206 — CVSS 6.1 (medium): steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY…
CVE-2020-12625 — CVSS 6.1 (medium): An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because…
CVE-2020-13964 — CVSS 6.1 (medium): An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the…
CVE-2020-15562 — CVSS 6.1 (medium): An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML…
CVE-2020-16145 — CVSS 6.1 (medium): Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue…
CVE-2021-44025 — CVSS 6.1 (medium): Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type…
CVE-2023-47272 — CVSS 6.1 (medium): Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment…
CVE-2024-37384 — CVSS 6.1 (medium): Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
CVE-2024-57004 — CVSS 6.1 (medium): Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an…
CVE-2026-35539 — CVSS 6.1 (medium): An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in…
CVE-2017-17688 — CVSS 5.9 (medium): The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext…
CVE-2011-1492 — CVSS 5.5 (medium): steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external…
CVE-2026-35540 — CVSS 5.4 (medium): An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail…
CVE-2021-26925 — CVSS 5.4 (medium): Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
CVE-2020-18670 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
CVE-2020-18671 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
CVE-2026-35542 — CVSS 5.3 (medium): An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted…
CVE-2026-35544 — CVSS 5.3 (medium): An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML…
CVE-2026-35545 — CVSS 5.3 (medium): An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in…
CVE-2026-35543 — CVSS 5.3 (medium): An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content…
CVE-2005-4368 — CVSS 5.0 (medium): roundcube webmail Alpha, with a default high verbose level ($rcmail_config['debug_level'] = 1), allows remote attackers to obtain the full…
CVE-2013-1904 — CVSS 5.0 (medium): Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote…
CVE-2010-0464 — CVSS 5.0 (medium): Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which…
CVE-2011-4078 — CVSS 5.0 (medium): include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET…
CVE-2011-2937 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attackers to…
CVE-2007-6321 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer…
CVE-2015-1433 — CVSS 4.3 (medium): program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct…
CVE-2013-5645 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject…
CVE-2012-6121 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML…
CVE-2019-10740 — CVSS 4.3 (medium): In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted…
CVE-2012-4668 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or…
CVE-2012-3508 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary…
CVE-2026-35541 — CVSS 4.2 (medium): An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to…
CVE-2026-35537 — CVSS 3.7 (low): An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may…
CVE-2011-1491 — CVSS 3.5 (low): The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which…
CVE-2015-8105 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote…
CVE-2013-5646 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or…
CVE-2026-35538 — CVSS 3.1 (low): An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP…
CVE-2012-3507 — CVSS 2.6 (low): Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin…
CVE-2012-1253 — CVSS 2.6 (low): Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject…