Stored Cross-Site Scripting in Roundcube Webmail Affects Multiple Versions
CVE-2026-54432
What is CVE-2026-54432?
CVE-2026-54432 is a security flaw found in Roundcube Webmail, a popular open-source email client utilized by organizations for managing web-based email services. This vulnerability, classified as a Stored Cross-Site Scripting (XSS) issue, arises because the application fails to properly escape the MIME type of attachments during validation on the warning page. When exploited, it could allow attackers to inject malicious scripts into web pages viewed by other users, compromising their data and accounts. As organizations increasingly adopt webmail systems for confidential communications, this vulnerability could have serious implications, leading to unauthorized access and data leakage.
Potential impact of CVE-2026-54432
-
Unauthorized Data Access: By exploiting this XSS vulnerability, attackers can gain unauthorized access to sensitive user information, including personal emails and attachments, leading to significant data breaches.
-
Account Compromise: The vulnerability could allow threat actors to execute scripts in the context of a user's session, which may facilitate the hijacking of user accounts, enabling further malicious activities such as phishing attacks or data manipulation.
-
Reputation Damage and User Trust: Organizations affected by this vulnerability may face severe reputational harm due to data breaches or the perception of inadequate security, potentially leading to a loss of customer trust and business.
Affected Version(s)
Webmail 1.6.0 < 1.6.17
Webmail 1.7.0 < 1.7.2
