Stored Cross-Site Scripting in Roundcube Webmail Affects Multiple Versions
CVE-2026-54432

4.7MEDIUM

Key Information:

Vendor

Roundcube

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-54432?

CVE-2026-54432 is a security flaw found in Roundcube Webmail, a popular open-source email client utilized by organizations for managing web-based email services. This vulnerability, classified as a Stored Cross-Site Scripting (XSS) issue, arises because the application fails to properly escape the MIME type of attachments during validation on the warning page. When exploited, it could allow attackers to inject malicious scripts into web pages viewed by other users, compromising their data and accounts. As organizations increasingly adopt webmail systems for confidential communications, this vulnerability could have serious implications, leading to unauthorized access and data leakage.

Potential impact of CVE-2026-54432

  1. Unauthorized Data Access: By exploiting this XSS vulnerability, attackers can gain unauthorized access to sensitive user information, including personal emails and attachments, leading to significant data breaches.

  2. Account Compromise: The vulnerability could allow threat actors to execute scripts in the context of a user's session, which may facilitate the hijacking of user accounts, enabling further malicious activities such as phishing attacks or data manipulation.

  3. Reputation Damage and User Trust: Organizations affected by this vulnerability may face severe reputational harm due to data breaches or the perception of inadequate security, potentially leading to a loss of customer trust and business.

Affected Version(s)

Webmail 1.6.0 < 1.6.17

Webmail 1.7.0 < 1.7.2

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.