CVE-2026-54432
Received Received - Intake

Stored XSS in Roundcube Webmail Attachment Handling

Vulnerability report for CVE-2026-54432, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-15

Assigner: MITRE

Description

Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
roundcube roundcube to 1.6.17|end_excluding=1.7.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54432 is a stored Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail. It affects versions before 1.6.17 and 1.7.x before 1.7.2. The issue arises because the attachment MIME type is not properly escaped on the attachment-validation warning page. This allows malicious actors to inject and store harmful scripts, which can then be executed in the context of a user's browser when they view the affected page.

Impact Analysis

This vulnerability can impact you in several ways:

  • Attackers can exploit this flaw to steal sensitive information, such as session cookies or login credentials, from users who interact with the compromised Roundcube Webmail interface.
  • Malicious scripts can be used to perform actions on behalf of the user, such as sending emails, deleting messages, or modifying account settings, without the user's knowledge.
  • The stored nature of the XSS means the attack can persist and affect multiple users over time, increasing the potential damage.
  • If you are an administrator, this vulnerability could lead to broader compromise of the webmail system, potentially affecting all users of the Roundcube installation.
Compliance Impact

This vulnerability can have implications for compliance with several standards and regulations:

  • GDPR (General Data Protection Regulation): If the XSS vulnerability leads to unauthorized access or disclosure of personal data of EU citizens, it could result in a violation of GDPR. Organizations may face significant fines and be required to notify affected individuals.
  • HIPAA (Health Insurance Portability and Accountability Act): For organizations handling protected health information (PHI), this vulnerability could lead to unauthorized access to sensitive patient data. A breach of PHI due to this flaw may constitute a HIPAA violation, resulting in penalties and mandatory breach notifications.
  • Other standards like PCI DSS (Payment Card Industry Data Security Standard) may also be impacted if the webmail system is used to handle or transmit payment-related information. A stored XSS vulnerability could lead to the theft of payment data, violating PCI DSS requirements.

Failure to address this vulnerability promptly may be seen as a lack of due diligence in protecting sensitive data, potentially leading to non-compliance with these regulations.

Detection Guidance

Detecting this vulnerability requires checking if your Roundcube Webmail installation is running a version before 1.6.17 or 1.7.x before 1.7.2. The vulnerability involves stored XSS via unescaped attachment MIME types on the attachment-validation warning page.

To check your Roundcube version, you can:

  • Look at the footer of the Roundcube web interface, which typically displays the version number.
  • Check the version file directly on the server, often located at /path/to/roundcube/program/include/iniset.php or by running: cat /var/www/roundcube/program/include/iniset.php | grep RCMAIL_VERSION

For network-level detection, you can scan for Roundcube instances using tools like Nmap with version detection enabled:

  • nmap -sV --script=http-version -p 80,443 <target_IP_or_domain>

If you suspect exploitation, review web server logs for unusual attachment uploads or requests to the attachment-validation warning page with suspicious MIME types.

Mitigation Strategies

The primary mitigation for CVE-2026-54432 is to upgrade Roundcube Webmail to the latest patched version.

  • Upgrade to Roundcube version 1.6.17 or 1.7.2 (or later) immediately. Follow the official upgrade instructions provided by Roundcube.

If upgrading is not immediately possible, consider the following temporary measures:

  • Disable the attachment-validation warning page if feasible, though this may impact user experience.
  • Implement a web application firewall (WAF) rule to block requests containing suspicious MIME types or XSS payloads in attachment-related parameters.
  • Monitor web server logs for signs of exploitation, such as unusual attachment uploads or requests to the vulnerable page.

After applying the patch, verify that the upgrade was successful by checking the version number and testing attachment uploads to ensure the XSS vulnerability is no longer present.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart