Stored Cross-Site Scripting Vulnerability in Roundcube Webmail Product
CVE-2026-54433
7.2HIGH
What is CVE-2026-54433?
A stored cross-site scripting (XSS) vulnerability exists in Roundcube Webmail prior to version 1.6.17 and in the 1.7.x series before 1.7.2. An attacker can exploit this vulnerability by sending a specially crafted plain-text email message. Upon the victim opening or previewing the email, the attacker-controlled JavaScript executes in the context of the victim's authenticated session, allowing for unauthorized actions without any user interaction needed.
Affected Version(s)
Webmail 1.6.0 < 1.6.17
Webmail 1.7.0 < 1.7.2
