Roundcube Webmail Vulnerabilities Could Grant XSS and Information Disclosure Attacks

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: High

EXECUTIVE SUMMARY:

Roundcube Webmail contains two high severity vulnerabilities in its branches affecting the security and privacy of webmail users. The first flaw allows attackers to craft malicious emails with specially constructed SVG images that exploit weaknesses in how Roundcube processes animation elements, enabling the execution of arbitrary JavaScript in a victims browser and potentially leading to session hijacking, credential theft, or stealthy redirection to malicious sites. The second issue stems from insufficient sanitization in the HTML style filtering logic, which can be abused to bypass CSS filters and infer or exfiltrate sensitive interface data, undermining inbox privacy. Both issues carry significant risks and should be mitigated by promptly applying the latest patches provided for the affected release lines to prevent exploitation through seemingly benign emails.

CVE‑2025‑68461: It is a XSS vulnerability in Roundcube Webmail where malicious SVG animate tags can execute JavaScript. It allows attackers to run scripts in a users browser when a crafted email is viewed, leading to session hijacking or credential theft. The vulnerability is due to improper sanitization of SVG content, exposing sensitive user data in webmail sessions. The vulnerability has a CVSS score of 7.2.
CVE‑2025‑68460: It is an information disclosure vulnerability in Roundcube Webmail due to improper HTML and CSS sanitization. Maliciously crafted emails can bypass the sanitizer and expose sensitive inbox data or webmail interface elements. This flaw can compromise user confidentiality and session integrity without requiring authentication. The vulnerability has a CVSS score of 7.2.

RECOMMENDATION:

We strongly recommend you update Roundcube Webmail to version 1.5.12 and 1.6.12 or later.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/roundcube-alert-high-severity-svg-xss-and-css-sanitizer-flaws-threaten-webmail-privacy/

Recent Advisories

Fake Shopping Campaign Leveraging Domains to Harvest Financial and Personal Data

December 19, 2025

Lazarus and Kimsuky APT Uncovering Malware Deployment and Certificate Reuse

December 19, 2025

Phantom Stealer Disguised as Adobe Update Uses SMTP to Loot Digital Lives

December 19, 2025

Udados Botnet Launches Massive HTTP Flood DDoS Attacks Targeting Tech Sector

December 19, 2025

Roundcube Webmail Vulnerabilities Could Grant XSS and Information Disclosure Attacks

Recent Advisories

Report an Incident