CVE-2026-26079

EUVD-2026-5945
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
roundcubewebmail
𝑥
< 1.5.13
CNA
roundcubewebmail
1.6.0 ≤
𝑥
< 1.6.13
CNA
Debian logo
Debian Releases
Debian Product
Codename
roundcube
bookworm
1.6.5+dfsg-1+deb12u8
fixed
bookworm (security)
1.6.5+dfsg-1+deb12u8
fixed
bullseye
vulnerable
bullseye (security)
1.4.15+dfsg.1-1+deb11u8
fixed
sid
1.6.15+dfsg-1
fixed
trixie
1.6.15+dfsg-0+deb13u1
fixed
trixie (security)
1.6.15+dfsg-0+deb13u1
fixed
Common Weakness Enumeration
References
https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816
https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447
https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01
https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5
https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954
https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde
https://github.com/roundcube/roundcubemail/releases/tag/1.5.13
https://github.com/roundcube/roundcubemail/releases/tag/1.6.13
https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13