Search for packages
| purl | pkg:deb/debian/roundcube@0.3.1-6 |
| Next non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Latest non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14vp-t71a-4bh1
Aliases: CVE-2021-46144 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-1aph-76b1-eyhv
Aliases: CVE-2011-2937 |
Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. |
Affected by 61 other vulnerabilities. |
|
VCID-23v8-vzqs-j3f6
Aliases: CVE-2015-5382 |
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. |
Affected by 49 other vulnerabilities. |
|
VCID-2eyy-k49d-m3af
Aliases: CVE-2021-44026 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-2hap-9mqs-v3b8
Aliases: CVE-2026-35541 GHSA-46pv-mj2g-93gh |
Roundcube Webmail: Incorrect password comparison in the password plugin |
Affected by 0 other vulnerabilities. |
|
VCID-2k4q-26tk-j3gx
Aliases: CVE-2024-42010 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-2nb2-9vgp-tqg9
Aliases: CVE-2025-68460 |
roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer |
Affected by 0 other vulnerabilities. |
|
VCID-36et-26h7-pke7
Aliases: CVE-2024-42008 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-3kyu-tx4q-p3aq
Aliases: CVE-2025-49113 GHSA-8j8w-wwqc-x596 |
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. |
Affected by 0 other vulnerabilities. |
|
VCID-489e-j7sj-5kgv
Aliases: CVE-2015-2180 |
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. |
Affected by 49 other vulnerabilities. |
|
VCID-4yzj-hrqv-vbcp
Aliases: CVE-2026-25916 |
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. |
Affected by 0 other vulnerabilities. |
|
VCID-53mq-nmxf-eug3
Aliases: CVE-2011-1492 |
steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request. |
Affected by 61 other vulnerabilities. |
|
VCID-5yts-xnha-4bf3
Aliases: CVE-2026-35539 GHSA-x4q5-8j5g-hpjc |
Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode |
Affected by 0 other vulnerabilities. |
|
VCID-76t7-q4pa-gkct
Aliases: CVE-2015-5381 |
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. |
Affected by 49 other vulnerabilities. |
|
VCID-79me-pjdn-ykgq
Aliases: CVE-2020-12640 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-7hh1-8grz-7fa9
Aliases: CVE-2011-4078 |
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379. |
Affected by 61 other vulnerabilities. |
|
VCID-7nn6-aywu-z7g8
Aliases: CVE-2020-13964 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-8keg-wbj1-8ua9
Aliases: CVE-2011-1491 |
The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then compose an e-mail message, related to a "login CSRF" issue. |
Affected by 61 other vulnerabilities. |
|
VCID-8vmm-1hvf-17ap
Aliases: CVE-2026-35542 GHSA-5hf6-crg4-fg59 |
Roundcube: Bypass of remote image blocking via crafted BODY background attribute |
Affected by 0 other vulnerabilities. |
|
VCID-8xf2-hjfv-hybh
Aliases: CVE-2026-35544 GHSA-xpqh-grpw-4xmg |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-9der-5csu-nbbq
Aliases: CVE-2024-42009 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-9ktu-55q4-3kau
Aliases: CVE-2018-19205 |
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. |
Affected by 36 other vulnerabilities. |
|
VCID-9uqr-ph81-gfef
Aliases: CVE-2015-2181 |
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. |
Affected by 49 other vulnerabilities. |
|
VCID-9uv1-gqq7-3kc9
Aliases: CVE-2025-68461 |
roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag |
Affected by 0 other vulnerabilities. |
|
VCID-brmp-djyb-q3b7
Aliases: CVE-2016-4069 |
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. |
Affected by 42 other vulnerabilities. |
|
VCID-c196-941x-8kfj
Aliases: CVE-2013-1904 |
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013. |
Affected by 61 other vulnerabilities. |
|
VCID-c4ys-1wzp-vqej
Aliases: CVE-2017-8114 |
A vulnerability in RoundCube may allow authenticated users to bypass security restrictions. |
Affected by 42 other vulnerabilities. |
|
VCID-cjkd-2jr6-n7as
Aliases: CVE-2024-37383 |
roundcubemail: allows XSS via SVG animate attributes |
Affected by 14 other vulnerabilities. |
|
VCID-ck88-1urs-2kes
Aliases: CVE-2026-35543 GHSA-j2g6-8rvg-7mf6 |
Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-cnkc-vcp7-6kcw
Aliases: CVE-2020-12626 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ddfq-28qm-2fbn
Aliases: CVE-2026-35545 GHSA-w846-74jr-76cv |
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-dzu5-531f-qqgy
Aliases: CVE-2015-1433 |
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. |
Affected by 49 other vulnerabilities. |
|
VCID-ekhg-mmjb-v3c3
Aliases: CVE-2016-9920 |
A vulnerability in Roundcube could potentially lead to arbitrary code execution. |
Affected by 42 other vulnerabilities. |
|
VCID-fuh5-bwaq-yyfk
Aliases: CVE-2017-16651 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-g7dn-kxs3-p7bx
Aliases: CVE-2015-8770 |
Multiple vulnerabilities have been found in Roundcube allowing remote authenticated users to execute arbitrary code, inject arbitrary web scripts, and perform cross-site scripting (XSS). |
Affected by 61 other vulnerabilities. Affected by 49 other vulnerabilities. |
|
VCID-gh6k-19h8-fqbf
Aliases: CVE-2026-35538 GHSA-8jr8-v43g-5c57 |
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments |
Affected by 0 other vulnerabilities. |
|
VCID-hg1a-vx5c-hue3
Aliases: CVE-2020-12641 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-j29t-cw2h-mfd8
Aliases: CVE-2018-1000071 |
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity. |
Affected by 36 other vulnerabilities. |
|
VCID-ja7n-zgpp-dfh4
Aliases: CVE-2013-6172 |
A vulnerability in Roundcube could result in arbitrary code execution, SQL injection, or reading of arbitrary files. |
Affected by 61 other vulnerabilities. Affected by 49 other vulnerabilities. |
|
VCID-jck5-xymf-s3bh
Aliases: CVE-2020-16145 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-jqs5-8ct7-wfgk
Aliases: CVE-2021-26925 |
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. |
Affected by 14 other vulnerabilities. |
|
VCID-kch8-wrzv-bfdm
Aliases: CVE-2012-4668 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email. |
Affected by 61 other vulnerabilities. |
|
VCID-kep3-256k-fqdm
Aliases: CVE-2012-1253 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment. |
Affected by 61 other vulnerabilities. |
|
VCID-kf54-x29g-63fb
Aliases: CVE-2015-8794 |
Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling. |
Affected by 49 other vulnerabilities. |
|
VCID-kyxz-v3sj-w3cw
Aliases: CVE-2020-18671 |
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-m4yc-ms54-zyhv
Aliases: CVE-2020-13965 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ncbg-6m11-3qan
Aliases: CVE-2023-47272 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-qfyq-umv5-e7h1
Aliases: CVE-2012-3508 |
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. |
Affected by 61 other vulnerabilities. |
|
VCID-qr2m-f4yw-qqa5
Aliases: CVE-2013-5645 |
Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save_identity.inc. |
Affected by 49 other vulnerabilities. |
|
VCID-qwak-6wgy-wfgs
Aliases: CVE-2024-37384 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-r1hb-f5nm-ykhk
Aliases: CVE-2015-8105 |
Multiple vulnerabilities have been found in Roundcube allowing remote authenticated users to execute arbitrary code, inject arbitrary web scripts, and perform cross-site scripting (XSS). |
Affected by 49 other vulnerabilities. |
|
VCID-rc91-j3kf-zfch
Aliases: CVE-2020-15562 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-rthq-fqk2-yydk
Aliases: CVE-2016-4068 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. |
Affected by 42 other vulnerabilities. |
|
VCID-s6p1-rf35-euhy
Aliases: CVE-2023-43770 |
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. |
Affected by 14 other vulnerabilities. |
|
VCID-spk8-q616-rkda
Aliases: CVE-2015-8864 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. |
Affected by 42 other vulnerabilities. |
|
VCID-tmch-gj6d-tyfq
Aliases: CVE-2016-4552 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message. |
Affected by 42 other vulnerabilities. |
|
VCID-ts1p-pw9v-cbh3
Aliases: CVE-2018-19206 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-u8a4-4pe2-9kcb
Aliases: CVE-2020-35730 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ub6x-9dku-c7fk
Aliases: CVE-2026-35540 GHSA-vxg2-hhgr-37fx |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-ur1a-7tdn-h3hu
Aliases: CVE-2019-10740 |
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. |
Affected by 36 other vulnerabilities. |
|
VCID-vehj-ytsm-kqgz
Aliases: CVE-2023-5631 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-vtz8-zmp4-xbdh
Aliases: CVE-2026-26079 |
roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments |
Affected by 0 other vulnerabilities. |
|
VCID-x9j7-98zt-6ygt
Aliases: CVE-2020-12625 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-xssa-fwbx-kybq
Aliases: CVE-2020-18670 |
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-ybv7-hqmj-nbgr
Aliases: CVE-2021-44025 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-yerh-ssat-abah
Aliases: CVE-2017-6820 |
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. |
Affected by 42 other vulnerabilities. |
|
VCID-yv5x-shsw-57cv
Aliases: CVE-2014-9587 |
Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. |
Affected by 49 other vulnerabilities. |
|
VCID-z3kp-p8ch-myhz
Aliases: CVE-2018-9846 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-z7fn-ubfx-g3em
Aliases: CVE-2015-8793 |
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. |
Affected by 49 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||