Denial of Service Vulnerability in Roundcube Webmail by Roundcube
CVE-2026-62641

4.3MEDIUM

Key Information:

Vendor

Roundcube

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-62641?

A denial of service vulnerability exists in Roundcube Webmail due to a flaw in the TNEF decoder. This issue allows attackers to craft a malicious compressed RTF size, potentially overwhelming the service and leading to a degradation of performance or unavailability. Users running affected versions of Roundcube prior to 1.6.17 or in the 1.7.x series prior to 1.7.2 are encouraged to apply security updates to mitigate this risk.

Affected Version(s)

Webmail 1.6.0 < 1.6.17

Webmail 1.7.0 < 1.7.2

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.