Multiple security vulnerabilities affecting Roundcube versions The flaws affect Roundcube before 1 have been identified in Roundcube before 1.7.2 and before 1.6.17, which pose a high risk to users due to potential zero-click XSS attacks. The flaws affect plain-text email rendering and an unescaped attachment MIME type on the warning page.
CVE-2026-54433: A stored XSS vulnerability exists in Roundcube's plain-text message rendering, allowing attackers to run script inside the mailbox session with access to messages, contacts, or account passwords.[/subscribe_to_unlock_form]
Multiple security vulnerabilities affecting Roundcube versions The flaws affect Roundcube before 1 have been identified in Roundcube before 1.7.2 and before 1.6.17, which pose a high risk to users due to potential zero-click XSS attacks. The flaws affect plain-text email rendering and an unescaped attachment MIME type on the warning page.
CVE-2026-54433: A stored XSS vulnerability exists in Roundcube's plain-text message rendering, allowing attackers to run script inside the mailbox session with access to messages, contacts, or account passwords.[emaillocker id="1283"]
CVE-2026-54432: An SSRF bypass vulnerability was discovered in Roundcube's TNEF decoder, which can be exploited by malicious emails. These vulnerabilities collectively present a significant risk to users who have not updated their Roundcube installations. Administrators should update now to close these vulnerabilities. These vulnerabilities collectively present a significant risk to users who have not updated their Roundcube installations.
These vulnerabilities collectively present a significant risk to users who have not updated their Roundcube installations.
We recommend you to update Roundcube to version 1.7.2 or 1.6.17.
The following reports contain further technical details:
[/emaillocker]