CVE-2025-68461
Unknown Unknown - Not Provided
Cross-Site Scripting in Roundcube Webmail via SVG Animate Tag

Publication date: 2025-12-18

Last updated on: 2026-02-23

Assigner: MITRE

Description
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68461
EUVD
EUVD-2025-204035
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roundcube roundcube *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in Roundcube Webmail related to the handling of the SVG <animate> tag. Attackers could exploit the way SVG animation attributes are processed to inject malicious scripts. The vulnerability arises because certain SVG attributes like 'to', 'from', and 'attributeName' were not properly sanitized, allowing JavaScript payloads to be embedded and executed. The fix involved improving sanitization by normalizing attribute names and values, blocking dangerous SVG animate elements, and enhancing cleanup routines to prevent script injection via SVG animations. [1]

Impact Analysis

This XSS vulnerability can allow attackers to execute arbitrary scripts in the context of the victim's browser when they view malicious SVG content in Roundcube Webmail. This can lead to theft of sensitive information such as session cookies, user credentials, or other private data accessible through the webmail interface. It may also enable attackers to perform actions on behalf of the user without their consent, potentially compromising the security and privacy of the affected users. [1]

Detection Guidance

Detection of this vulnerability involves identifying malicious SVG files or payloads containing the <animate> tag with dangerous attributes such as 'xlink:href' containing JavaScript. You can scan your Roundcube Webmail installation files and user-uploaded SVG content for such patterns. For example, using grep to find suspicious SVG animate tags with JavaScript payloads: grep -r --include='*.svg' '<animate[^>]*xlink:href=["\']javascript:' /path/to/roundcube or user uploads. Additionally, monitoring HTTP traffic for SVG files containing <animate> tags with suspicious attributes can help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to update Roundcube Webmail to version 1.5.12 or later, or 1.6.12 or later, where this vulnerability is fixed. The fix includes improved sanitization of SVG <animate> tags and blocking of dangerous attributes that could lead to XSS. If updating is not immediately possible, consider applying the patch from commit bfa0326 or disabling SVG animation support in your sanitizer configuration to prevent malicious SVG content from being processed. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart