CVE-2026-48848

EUVD-2026-31727
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
roundcubewebmail
1.6.0 ≤
𝑥
< 1.6.16
CNA
roundcubewebmail
1.7.0 ≤
𝑥
< 1.7.1
CNA
Debian logo
Debian Releases
Debian Product
Codename
roundcube
bookworm
vulnerable
bookworm (security)
1.6.5+dfsg-1+deb12u9
fixed
bullseye
vulnerable
bullseye (security)
1.4.15+dfsg.1-1+deb11u9
fixed
forky
1.6.17+dfsg-1
fixed
sid
1.6.17+dfsg-1
fixed
trixie
vulnerable
trixie (security)
1.6.16+dfsg-0+deb13u1
fixed