RoundCube Webmail: Animate Tag in SVG Can Execute Malicious Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.1

RoundCube Webmail: Animate Tag in SVG Can Execute Malicious Code

Known exploited

CVE-2025-68461 CVE-2025-68461

Summary

The RoundCube Webmail application contains a security weakness that could allow an attacker to inject malicious code into a user's webmail session. This could lead to unauthorized access to sensitive information or actions. To protect your users, update to the latest version of RoundCube Webmail.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
roundcube	webmail	All versions	–
roundcube	webmail	<= 1.5.12	–
roundcube	webmail	> 1.6.0 , <= 1.6.12	–

Original title

RoundCube Webmail Cross-site Scripting Vulnerability

Original description

RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340... Patch
https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-... US Government Resource

Published: 20 Feb 2026 · Updated: 15 Mar 2026 · First seen: 6 Mar 2026