Search for packages
| purl | pkg:deb/debian/roundcube@1.1.5%2Bdfsg.1-1~bpo8%2B5 |
| Next non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Latest non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14vp-t71a-4bh1
Aliases: CVE-2021-46144 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-2eyy-k49d-m3af
Aliases: CVE-2021-44026 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-2hap-9mqs-v3b8
Aliases: CVE-2026-35541 GHSA-46pv-mj2g-93gh |
Roundcube Webmail: Incorrect password comparison in the password plugin |
Affected by 0 other vulnerabilities. |
|
VCID-2k4q-26tk-j3gx
Aliases: CVE-2024-42010 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-2nb2-9vgp-tqg9
Aliases: CVE-2025-68460 |
roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer |
Affected by 0 other vulnerabilities. |
|
VCID-36et-26h7-pke7
Aliases: CVE-2024-42008 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-3kyu-tx4q-p3aq
Aliases: CVE-2025-49113 GHSA-8j8w-wwqc-x596 |
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. |
Affected by 0 other vulnerabilities. |
|
VCID-4yzj-hrqv-vbcp
Aliases: CVE-2026-25916 |
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. |
Affected by 0 other vulnerabilities. |
|
VCID-5yts-xnha-4bf3
Aliases: CVE-2026-35539 GHSA-x4q5-8j5g-hpjc |
Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode |
Affected by 0 other vulnerabilities. |
|
VCID-79me-pjdn-ykgq
Aliases: CVE-2020-12640 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-7nn6-aywu-z7g8
Aliases: CVE-2020-13964 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-8vmm-1hvf-17ap
Aliases: CVE-2026-35542 GHSA-5hf6-crg4-fg59 |
Roundcube: Bypass of remote image blocking via crafted BODY background attribute |
Affected by 0 other vulnerabilities. |
|
VCID-8xf2-hjfv-hybh
Aliases: CVE-2026-35544 GHSA-xpqh-grpw-4xmg |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-9der-5csu-nbbq
Aliases: CVE-2024-42009 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-9ktu-55q4-3kau
Aliases: CVE-2018-19205 |
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. |
Affected by 36 other vulnerabilities. |
|
VCID-9uv1-gqq7-3kc9
Aliases: CVE-2025-68461 |
roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag |
Affected by 0 other vulnerabilities. |
|
VCID-brmp-djyb-q3b7
Aliases: CVE-2016-4069 |
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. |
Affected by 42 other vulnerabilities. |
|
VCID-c4ys-1wzp-vqej
Aliases: CVE-2017-8114 |
A vulnerability in RoundCube may allow authenticated users to bypass security restrictions. |
Affected by 42 other vulnerabilities. |
|
VCID-cjkd-2jr6-n7as
Aliases: CVE-2024-37383 |
roundcubemail: allows XSS via SVG animate attributes |
Affected by 14 other vulnerabilities. |
|
VCID-ck88-1urs-2kes
Aliases: CVE-2026-35543 GHSA-j2g6-8rvg-7mf6 |
Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-cnkc-vcp7-6kcw
Aliases: CVE-2020-12626 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ddfq-28qm-2fbn
Aliases: CVE-2026-35545 GHSA-w846-74jr-76cv |
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-ekhg-mmjb-v3c3
Aliases: CVE-2016-9920 |
A vulnerability in Roundcube could potentially lead to arbitrary code execution. |
Affected by 42 other vulnerabilities. |
|
VCID-fuh5-bwaq-yyfk
Aliases: CVE-2017-16651 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-gh6k-19h8-fqbf
Aliases: CVE-2026-35538 GHSA-8jr8-v43g-5c57 |
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments |
Affected by 0 other vulnerabilities. |
|
VCID-hg1a-vx5c-hue3
Aliases: CVE-2020-12641 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-j29t-cw2h-mfd8
Aliases: CVE-2018-1000071 |
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity. |
Affected by 36 other vulnerabilities. |
|
VCID-jck5-xymf-s3bh
Aliases: CVE-2020-16145 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-jqs5-8ct7-wfgk
Aliases: CVE-2021-26925 |
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. |
Affected by 14 other vulnerabilities. |
|
VCID-kyxz-v3sj-w3cw
Aliases: CVE-2020-18671 |
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-m4yc-ms54-zyhv
Aliases: CVE-2020-13965 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ncbg-6m11-3qan
Aliases: CVE-2023-47272 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-qwak-6wgy-wfgs
Aliases: CVE-2024-37384 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-rc91-j3kf-zfch
Aliases: CVE-2020-15562 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-rthq-fqk2-yydk
Aliases: CVE-2016-4068 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. |
Affected by 42 other vulnerabilities. |
|
VCID-s6p1-rf35-euhy
Aliases: CVE-2023-43770 |
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. |
Affected by 14 other vulnerabilities. |
|
VCID-spk8-q616-rkda
Aliases: CVE-2015-8864 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. |
Affected by 42 other vulnerabilities. |
|
VCID-tmch-gj6d-tyfq
Aliases: CVE-2016-4552 |
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message. |
Affected by 42 other vulnerabilities. |
|
VCID-ts1p-pw9v-cbh3
Aliases: CVE-2018-19206 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-u8a4-4pe2-9kcb
Aliases: CVE-2020-35730 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ub6x-9dku-c7fk
Aliases: CVE-2026-35540 GHSA-vxg2-hhgr-37fx |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-ur1a-7tdn-h3hu
Aliases: CVE-2019-10740 |
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. |
Affected by 36 other vulnerabilities. |
|
VCID-vehj-ytsm-kqgz
Aliases: CVE-2023-5631 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-vtz8-zmp4-xbdh
Aliases: CVE-2026-26079 |
roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments |
Affected by 0 other vulnerabilities. |
|
VCID-x9j7-98zt-6ygt
Aliases: CVE-2020-12625 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-xssa-fwbx-kybq
Aliases: CVE-2020-18670 |
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-ybv7-hqmj-nbgr
Aliases: CVE-2021-44025 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-yerh-ssat-abah
Aliases: CVE-2017-6820 |
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. |
Affected by 42 other vulnerabilities. |
|
VCID-z3kp-p8ch-myhz
Aliases: CVE-2018-9846 |
security update |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-23v8-vzqs-j3f6 | program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. |
CVE-2015-5382
|
| VCID-489e-j7sj-5kgv | The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. |
CVE-2015-2180
|
| VCID-76t7-q4pa-gkct | Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. |
CVE-2015-5381
|
| VCID-9uqr-ph81-gfef | Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. |
CVE-2015-2181
|
| VCID-dzu5-531f-qqgy | program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. |
CVE-2015-1433
|
| VCID-g7dn-kxs3-p7bx | Multiple vulnerabilities have been found in Roundcube allowing remote authenticated users to execute arbitrary code, inject arbitrary web scripts, and perform cross-site scripting (XSS). |
CVE-2015-8770
|
| VCID-ja7n-zgpp-dfh4 | A vulnerability in Roundcube could result in arbitrary code execution, SQL injection, or reading of arbitrary files. |
CVE-2013-6172
|
| VCID-kf54-x29g-63fb | Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling. |
CVE-2015-8794
|
| VCID-qr2m-f4yw-qqa5 | Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save_identity.inc. |
CVE-2013-5645
|
| VCID-r1hb-f5nm-ykhk | Multiple vulnerabilities have been found in Roundcube allowing remote authenticated users to execute arbitrary code, inject arbitrary web scripts, and perform cross-site scripting (XSS). |
CVE-2015-8105
|
| VCID-yv5x-shsw-57cv | Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. |
CVE-2014-9587
|
| VCID-z7fn-ubfx-g3em | Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. |
CVE-2015-8793
|