Cross-Site Scripting Vulnerability in Roundcube Webmail from Roundcube

CVE-2025-68461

What is CVE-2025-68461?

CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability identified in Roundcube Webmail, which is an open-source webmail application used widely for email management. This vulnerability affects versions prior to 1.5.12 and 1.6 prior to 1.6.12, enabling an attacker to execute malicious scripts in the context of a user's session. The exploit leverages the animate tag within an SVG document, which can lead to unauthorized actions taken on behalf of the user, potentially compromising sensitive information and undermining the overall security of the webmail system. Organizations relying on Roundcube for their email communication may face significant repercussions, such as data breaches or potential unauthorized access to user accounts.

Potential impact of CVE-2025-68461

1. Data Compromise: Attackers exploiting this vulnerability can execute arbitrary scripts, which may lead to the theft of sensitive information, such as login credentials and personal data.

2. User Session Hijacking: By executing scripts in the context of a user session, adversaries could impersonate users, allowing them to perform unauthorized actions, thereby jeopardizing user trust and system integrity.

3. Propagation of Malware: The XSS vulnerability can be used to deliver malicious payloads to users, potentially resulting in the spread of malware or more sophisticated attacks across the network.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

News Articles

BleepingComputer

CVE-2025-49113CVE-2025-68461

CISA: Recently patched RoundCube flaws now exploited in attacks

CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks.

1 week ago

References