Search for packages
| purl | pkg:deb/debian/roundcube@1.3.17%2Bdfsg.1-1~deb10u2 |
| Next non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Latest non-vulnerable version | 1.6.5+dfsg-1+deb12u6 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14vp-t71a-4bh1
Aliases: CVE-2021-46144 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-2eyy-k49d-m3af
Aliases: CVE-2021-44026 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-2hap-9mqs-v3b8
Aliases: CVE-2026-35541 GHSA-46pv-mj2g-93gh |
Roundcube Webmail: Incorrect password comparison in the password plugin |
Affected by 0 other vulnerabilities. |
|
VCID-2k4q-26tk-j3gx
Aliases: CVE-2024-42010 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-2nb2-9vgp-tqg9
Aliases: CVE-2025-68460 |
roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer |
Affected by 0 other vulnerabilities. |
|
VCID-36et-26h7-pke7
Aliases: CVE-2024-42008 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-3kyu-tx4q-p3aq
Aliases: CVE-2025-49113 GHSA-8j8w-wwqc-x596 |
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. |
Affected by 0 other vulnerabilities. |
|
VCID-4yzj-hrqv-vbcp
Aliases: CVE-2026-25916 |
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. |
Affected by 0 other vulnerabilities. |
|
VCID-5yts-xnha-4bf3
Aliases: CVE-2026-35539 GHSA-x4q5-8j5g-hpjc |
Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode |
Affected by 0 other vulnerabilities. |
|
VCID-79me-pjdn-ykgq
Aliases: CVE-2020-12640 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-7nn6-aywu-z7g8
Aliases: CVE-2020-13964 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-8vmm-1hvf-17ap
Aliases: CVE-2026-35542 GHSA-5hf6-crg4-fg59 |
Roundcube: Bypass of remote image blocking via crafted BODY background attribute |
Affected by 0 other vulnerabilities. |
|
VCID-8xf2-hjfv-hybh
Aliases: CVE-2026-35544 GHSA-xpqh-grpw-4xmg |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-9der-5csu-nbbq
Aliases: CVE-2024-42009 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-9uv1-gqq7-3kc9
Aliases: CVE-2025-68461 |
roundcubemail: Roundcube Webmail: Cross-Site Scripting (XSS) vulnerability via crafted SVG animate tag |
Affected by 0 other vulnerabilities. |
|
VCID-cjkd-2jr6-n7as
Aliases: CVE-2024-37383 |
roundcubemail: allows XSS via SVG animate attributes |
Affected by 14 other vulnerabilities. |
|
VCID-ck88-1urs-2kes
Aliases: CVE-2026-35543 GHSA-j2g6-8rvg-7mf6 |
Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-cnkc-vcp7-6kcw
Aliases: CVE-2020-12626 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-ddfq-28qm-2fbn
Aliases: CVE-2026-35545 GHSA-w846-74jr-76cv |
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message |
Affected by 0 other vulnerabilities. |
|
VCID-gh6k-19h8-fqbf
Aliases: CVE-2026-35538 GHSA-8jr8-v43g-5c57 |
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments |
Affected by 0 other vulnerabilities. |
|
VCID-hg1a-vx5c-hue3
Aliases: CVE-2020-12641 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-jck5-xymf-s3bh
Aliases: CVE-2020-16145 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-jqs5-8ct7-wfgk
Aliases: CVE-2021-26925 |
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. |
Affected by 14 other vulnerabilities. |
|
VCID-kyxz-v3sj-w3cw
Aliases: CVE-2020-18671 |
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-m4yc-ms54-zyhv
Aliases: CVE-2020-13965 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-ncbg-6m11-3qan
Aliases: CVE-2023-47272 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-qwak-6wgy-wfgs
Aliases: CVE-2024-37384 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-rc91-j3kf-zfch
Aliases: CVE-2020-15562 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-s6p1-rf35-euhy
Aliases: CVE-2023-43770 |
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. |
Affected by 14 other vulnerabilities. |
|
VCID-u8a4-4pe2-9kcb
Aliases: CVE-2020-35730 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-ub6x-9dku-c7fk
Aliases: CVE-2026-35540 GHSA-vxg2-hhgr-37fx |
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages |
Affected by 0 other vulnerabilities. |
|
VCID-vehj-ytsm-kqgz
Aliases: CVE-2023-5631 |
security update |
Affected by 14 other vulnerabilities. |
|
VCID-vtz8-zmp4-xbdh
Aliases: CVE-2026-26079 |
roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments |
Affected by 0 other vulnerabilities. |
|
VCID-x9j7-98zt-6ygt
Aliases: CVE-2020-12625 |
A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
Affected by 14 other vulnerabilities. |
|
VCID-xssa-fwbx-kybq
Aliases: CVE-2020-18670 |
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. |
Affected by 14 other vulnerabilities. |
|
VCID-ybv7-hqmj-nbgr
Aliases: CVE-2021-44025 |
Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-14vp-t71a-4bh1 | security update |
CVE-2021-46144
|
| VCID-2eyy-k49d-m3af | Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
CVE-2021-44026
|
| VCID-7nn6-aywu-z7g8 | security update |
CVE-2020-13964
|
| VCID-9ktu-55q4-3kau | Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. |
CVE-2018-19205
|
| VCID-cnkc-vcp7-6kcw | A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
CVE-2020-12626
|
| VCID-fuh5-bwaq-yyfk | security update |
CVE-2017-16651
|
| VCID-j29t-cw2h-mfd8 | roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity. |
CVE-2018-1000071
|
| VCID-jck5-xymf-s3bh | security update |
CVE-2020-16145
|
| VCID-m4yc-ms54-zyhv | security update |
CVE-2020-13965
|
| VCID-rc91-j3kf-zfch | security update |
CVE-2020-15562
|
| VCID-ts1p-pw9v-cbh3 | security update |
CVE-2018-19206
|
| VCID-u8a4-4pe2-9kcb | security update |
CVE-2020-35730
|
| VCID-ur1a-7tdn-h3hu | In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. |
CVE-2019-10740
|
| VCID-x9j7-98zt-6ygt | A flaw in Roundcube's handling of configuration files may allow arbitrary code execution, amongst other vulnerabilities. |
CVE-2020-12625
|
| VCID-ybv7-hqmj-nbgr | Multiple vulnerabilities have been discovered in Roundcube, the worst of which could lead to execution of arbitrary code. |
CVE-2021-44025
|
| VCID-z3kp-p8ch-myhz | security update |
CVE-2018-9846
|