Insufficient HTML Sanitization in Roundcube Webmail by Roundcube
CVE-2026-48848

7.2HIGH

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-48848?

Roundcube Webmail prior to version 1.6.16 and 1.7.1 is vulnerable due to insufficient HTML sanitization. This weakness can be exploited through specially crafted SVG documents that include an animate element with the attributeName attribute, potentially allowing attackers to inject cascading style sheets (CSS). Users of affected versions should update to the latest releases to mitigate this risk.

Affected Version(s)

Webmail 1.6.0 < 1.6.16

Webmail 1.7.0 < 1.7.1

References

https://roundcube.net/news/2026/05/24/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/c960d10...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 25, 2026

CVE-2026-48848 Data

JSON