Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Roundcube Webmail allows malicious HTML in email attachments
CVE-2026-35539
Summary
A security issue in Roundcube Webmail can allow an attacker to inject malicious code into a user's browser if they preview a specific type of email attachment. This could potentially lead to unauthorized access to a user's account or other security issues. Users of affected versions should update to the latest version of Roundcube Webmail to patch this issue.
Original title
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
Original description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a664...
- https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e4...
- https://github.com/roundcube/roundcubemail/commit/d742954ccbcdee7020f8f2e7c49ce0...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026