pkg:Packagist/roundcube/roundcubemail

10 total CVEsCRITICAL1MEDIUM7LOW2

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.9CVE-2025-49113⚠ KEVRoundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization
    from 0, < 1.5.10
  • MEDIUM6.1CVE-2026-35539Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode
    >= 1.7-beta, < 1.7-rc5
  • MEDIUM5.4CVE-2026-35540Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
    >= 1.7-beta, < 1.7-rc5
  • MEDIUM5.3CVE-2026-35542Roundcube: Bypass of remote image blocking via crafted BODY background attribute
    >= 1.7-beta, < 1.7-rc5
  • MEDIUM5.3CVE-2026-35544Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
    >= 1.7-beta, < 1.7-rc5
  • MEDIUM5.3CVE-2026-35545Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
    >= 1.7-beta, < 1.7-rc5
  • MEDIUM5.3CVE-2026-35543Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message
    >= 1.7-beta, < 1.7-rc5
  • MEDIUM4.2CVE-2026-35541Roundcube Webmail: Incorrect password comparison in the password plugin
    >= 1.7-beta, < 1.7-rc5
  • LOW3.7CVE-2026-35537Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler
    >= 1.7-beta, < 1.7-rc5
  • LOW3.1CVE-2026-35538Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
    >= 1.7-beta, < 1.7-rc5