CVE-2026-26079

EUVD-2026-5945
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
mitreCNA
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
Debian logo
Debian Releases
Debian Product
Codename
roundcube
bookworm
vulnerable
bookworm (security)
1.6.5+dfsg-1+deb12u7
fixed
bullseye
vulnerable
bullseye (security)
1.4.15+dfsg.1-1+deb11u7
fixed
forky
1.6.13+dfsg-1
fixed
sid
1.6.13+dfsg-1
fixed
trixie
vulnerable
trixie (security)
1.6.13+dfsg-0+deb13u1
fixed
Common Weakness Enumeration
References
https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816
https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447
https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01
https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5
https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954
https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde
https://github.com/roundcube/roundcubemail/releases/tag/1.5.13
https://github.com/roundcube/roundcubemail/releases/tag/1.6.13
https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13