wid-sec-w-2026-0789 · Published 2026-03-18 · View on BSI CERT-Bund ↗

Roundcube: Multiple Vulnerabilities

CVSS 6.1 MEDIUM

Risk Summary

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

CVEs (9)

CVE-2026-35537 CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35543 CVE-2026-35544 CVE-2026-35545

Affected Vendors

Debian Open Source

Affected Products (6)

Open Source · Roundcube <1.5.14

Open Source · Roundcube 1.5.14

Open Source · Roundcube <1.6.14

Open Source · Roundcube 1.6.14

Open Source · Roundcube <1.7-rc5

Open Source · Roundcube 1.7-rc5

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more