Stored Cross-Site Scripting Vulnerability in Roundcube Webmail Product
CVE-2026-54433

7.2HIGH

Key Information:

Vendor

Roundcube

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-54433?

A stored cross-site scripting (XSS) vulnerability exists in Roundcube Webmail prior to version 1.6.17 and in the 1.7.x series before 1.7.2. An attacker can exploit this vulnerability by sending a specially crafted plain-text email message. Upon the victim opening or previewing the email, the attacker-controlled JavaScript executes in the context of the victim's authenticated session, allowing for unauthorized actions without any user interaction needed.

Affected Version(s)

Webmail 1.6.0 < 1.6.17

Webmail 1.7.0 < 1.7.2

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.