Search for packages
| purl | pkg:deb/debian/roundcube@1.2.3%2Bdfsg.1-4%2Bdeb9u6 |
| Next non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Latest non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14vp-t71a-4bh1
Aliases: CVE-2021-46144 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-2eyy-k49d-m3af
Aliases: CVE-2021-44026 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-2hap-9mqs-v3b8
Aliases: CVE-2026-35541 GHSA-46pv-mj2g-93gh |
Roundcube Webmail: Incorrect password comparison in the password plugin |
Affected by 0 other vulnerabilities. |
|
VCID-2k4q-26tk-j3gx
Aliases: CVE-2024-42010 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-2nb2-9vgp-tqg9
Aliases: CVE-2025-68460 |
roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer |
Affected by 0 other vulnerabilities. |
|
VCID-36et-26h7-pke7
Aliases: CVE-2024-42008 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-3kyu-tx4q-p3aq
Aliases: CVE-2025-49113 GHSA-8j8w-wwqc-x596 |
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. |
Affected by 0 other vulnerabilities. |
|
VCID-4yzj-hrqv-vbcp
Aliases: CVE-2026-25916 |
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. |
Affected by 0 other vulnerabilities. |
|
VCID-5yts-xnha-4bf3
Aliases: CVE-2026-35539 GHSA-x4q5-8j5g-hpjc |
Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode |
Affected by 0 other vulnerabilities. |
|
VCID-79me-pjdn-ykgq
Aliases: CVE-2020-12640 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-7nn6-aywu-z7g8
Aliases: CVE-2020-13964 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-8vmm-1hvf-17ap
Aliases: CVE-2026-35542 GHSA-5hf6-crg4-fg59 |
Roundcube: Bypass of remote image blocking via crafted BODY background attribute |
Affected by 0 other vulnerabilities. |
|
VCID-8xf2-hjfv-hybh
Aliases: CVE-2026-35544 GHSA-xpqh-grpw-4xmg |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-9der-5csu-nbbq
Aliases: CVE-2024-42009 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-9ktu-55q4-3kau
Aliases: CVE-2018-19205 |
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. |
Affected by 36 other vulnerabilities. |
|
VCID-9uv1-gqq7-3kc9
Aliases: CVE-2025-68461 |
roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag |
Affected by 0 other vulnerabilities. |
|
VCID-cjkd-2jr6-n7as
Aliases: CVE-2024-37383 |
roundcubemail: allows XSS via SVG animate attributes |
Affected by 14 other vulnerabilities. |
|
VCID-ck88-1urs-2kes
Aliases: CVE-2026-35543 GHSA-j2g6-8rvg-7mf6 |
Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-cnkc-vcp7-6kcw
Aliases: CVE-2020-12626 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ddfq-28qm-2fbn
Aliases: CVE-2026-35545 GHSA-w846-74jr-76cv |
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-fuh5-bwaq-yyfk
Aliases: CVE-2017-16651 |
security update |
Affected by 36 other vulnerabilities. |
|
VCID-gh6k-19h8-fqbf
Aliases: CVE-2026-35538 GHSA-8jr8-v43g-5c57 |
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments |
Affected by 0 other vulnerabilities. |
|
VCID-hg1a-vx5c-hue3
Aliases: CVE-2020-12641 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-j29t-cw2h-mfd8
Aliases: CVE-2018-1000071 |
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity. |
Affected by 36 other vulnerabilities. |
|
VCID-jck5-xymf-s3bh
Aliases: CVE-2020-16145 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-jqs5-8ct7-wfgk
Aliases: CVE-2021-26925 |
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. |
Affected by 14 other vulnerabilities. |
|
VCID-kyxz-v3sj-w3cw
Aliases: CVE-2020-18671 |
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-m4yc-ms54-zyhv
Aliases: CVE-2020-13965 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ncbg-6m11-3qan
Aliases: CVE-2023-47272 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-qwak-6wgy-wfgs
Aliases: CVE-2024-37384 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-rc91-j3kf-zfch
Aliases: CVE-2020-15562 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-s6p1-rf35-euhy
Aliases: CVE-2023-43770 |
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. |
Affected by 14 other vulnerabilities. |
|
VCID-ts1p-pw9v-cbh3
Aliases: CVE-2018-19206 |
security update |
Affected by 36 other vulnerabilities. |
|
VCID-u8a4-4pe2-9kcb
Aliases: CVE-2020-35730 |
security update |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ub6x-9dku-c7fk
Aliases: CVE-2026-35540 GHSA-vxg2-hhgr-37fx |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-ur1a-7tdn-h3hu
Aliases: CVE-2019-10740 |
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. |
Affected by 36 other vulnerabilities. |
|
VCID-vehj-ytsm-kqgz
Aliases: CVE-2023-5631 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-vtz8-zmp4-xbdh
Aliases: CVE-2026-26079 |
roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments |
Affected by 0 other vulnerabilities. |
|
VCID-x9j7-98zt-6ygt
Aliases: CVE-2020-12625 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-xssa-fwbx-kybq
Aliases: CVE-2020-18670 |
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-ybv7-hqmj-nbgr
Aliases: CVE-2021-44025 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 36 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-z3kp-p8ch-myhz
Aliases: CVE-2018-9846 |
security update |
Affected by 36 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7nn6-aywu-z7g8 | security update |
CVE-2020-13964
|
| VCID-brmp-djyb-q3b7 | Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. |
CVE-2016-4069
|
| VCID-c4ys-1wzp-vqej | A vulnerability in RoundCube may allow authenticated users to bypass security restrictions. |
CVE-2017-8114
|
| VCID-cnkc-vcp7-6kcw | A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
CVE-2020-12626
|
| VCID-ekhg-mmjb-v3c3 | A vulnerability in Roundcube could potentially lead to arbitrary code execution. |
CVE-2016-9920
|
| VCID-fuh5-bwaq-yyfk | security update |
CVE-2017-16651
|
| VCID-m4yc-ms54-zyhv | security update |
CVE-2020-13965
|
| VCID-rthq-fqk2-yydk | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. |
CVE-2016-4068
|
| VCID-spk8-q616-rkda | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. |
CVE-2015-8864
|
| VCID-tmch-gj6d-tyfq | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message. |
CVE-2016-4552
|
| VCID-ts1p-pw9v-cbh3 | security update |
CVE-2018-19206
|
| VCID-x9j7-98zt-6ygt | A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
CVE-2020-12625
|
| VCID-yerh-ssat-abah | rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. |
CVE-2017-6820
|
| VCID-z3kp-p8ch-myhz | security update |
CVE-2018-9846
|