CVE-2026-54433
Analyzed Analyzed - Analysis Complete

Stored XSS in Roundcube Webmail via Crafted Email

Vulnerability report for CVE-2026-54433, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-15

Assigner: MITRE

Description

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, there is Stored Cross-Site Scripting (XSS) via a crafted plain-text email message. The attacker-controlled JavaScript executes within the victim's authenticated session simply by opening or previewing the message (zero-click).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
roundcube webmail to 1.6.17 (exc)
roundcube webmail From 1.7.0 (inc) to 1.7.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54433 is a Stored Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail versions before 1.6.17 and 1.7.x before 1.7.2.

The vulnerability occurs when a crafted plain-text email message is processed by Roundcube. The attacker can embed malicious JavaScript code in the email, which then executes automatically when the victim opens or previews the message.

This is a zero-click exploit, meaning the victim does not need to interact with the email beyond opening or previewing it. The malicious code runs within the victim's authenticated session, potentially allowing the attacker to perform actions on behalf of the victim or steal sensitive information.

Impact Analysis

If you are using an affected version of Roundcube Webmail, this vulnerability could have several impacts:

  • An attacker could execute arbitrary JavaScript code in your browser while you are logged into Roundcube.
  • The attacker could steal your session cookies, allowing them to hijack your session and access your emails or perform actions as you.
  • The attacker could exfiltrate sensitive information from your emails, such as personal data, login credentials, or confidential communications.
  • The attacker could manipulate your email settings, send emails on your behalf, or delete emails.

Since the exploit is zero-click, simply receiving and previewing a malicious email is enough to trigger the attack, making it particularly dangerous.

Compliance Impact

This vulnerability could impact compliance with several common standards and regulations, depending on the context in which Roundcube Webmail is used:

  • GDPR (General Data Protection Regulation): If Roundcube is used to handle personal data of EU citizens, this vulnerability could lead to unauthorized access or disclosure of personal data. Under GDPR, organizations must implement appropriate security measures to protect personal data. Failure to patch this vulnerability could result in non-compliance and potential fines.
  • HIPAA (Health Insurance Portability and Accountability Act): If Roundcube is used in a healthcare setting to handle protected health information (PHI), this vulnerability could lead to unauthorized access to PHI. HIPAA requires covered entities to protect the confidentiality, integrity, and availability of PHI. Exploitation of this vulnerability could result in a breach, leading to non-compliance and potential penalties.
  • Other standards like PCI DSS (Payment Card Industry Data Security Standard): If Roundcube is used in an environment where payment card information is handled, this vulnerability could lead to unauthorized access to sensitive data. PCI DSS requires organizations to protect cardholder data, and failure to address this vulnerability could result in non-compliance.

Organizations using Roundcube should apply the available patches immediately to mitigate the risk of non-compliance with these regulations and standards.

Detection Guidance

Detecting CVE-2026-54433 on your network or system requires checking for vulnerable versions of Roundcube Webmail and inspecting email messages for potential exploitation attempts. Since this is a stored XSS vulnerability triggered by crafted plain-text emails, detection involves both version verification and monitoring for suspicious email content.

  • Check the installed Roundcube version: Run the following command on your Roundcube server to verify the version: cat /path/to/roundcube/program/include/iniset.php | grep RCMAIL_VERSION. If the version is before 1.6.17 or 1.7.2, the system is vulnerable.
  • Inspect email messages for suspicious plain-text content: Since the vulnerability is triggered by crafted plain-text emails, you can search for emails containing unusual JavaScript-like patterns or unexpected HTML tags in plain-text messages. Use email server logs or database queries to identify such emails.
  • Monitor Roundcube logs for unusual activity: Check Roundcube logs (e.g., logs/errors, logs/sendmail) for signs of unexpected script execution or errors related to email rendering.

Note that this vulnerability is zero-click, meaning it can be exploited simply by previewing or opening a malicious email. Automated scanning tools may not directly detect this vulnerability, so manual verification of the Roundcube version is critical.

Mitigation Strategies

To mitigate CVE-2026-54433, follow these immediate steps to reduce the risk of exploitation.

  • Upgrade Roundcube to the latest patched version: Apply the security updates to upgrade to Roundcube 1.6.17 or 1.7.2, as these versions contain fixes for the stored XSS vulnerability. Follow the official upgrade instructions provided by Roundcube.
  • Disable email previews if upgrading is not immediately possible: Configure Roundcube to disable automatic email previews, which can prevent the zero-click exploitation vector. This can be done by modifying the Roundcube configuration file (config/config.inc.php) to set preview_pane to false.
  • Restrict access to Roundcube: Limit access to Roundcube Webmail to trusted networks or IP ranges until the system is patched. Use firewall rules or network-level restrictions to reduce exposure.
  • Monitor for suspicious emails: Review incoming emails for unusual plain-text content that may contain malicious scripts. Implement email filtering rules to block or quarantine suspicious messages.
  • Educate users: Inform users about the risks of opening or previewing unexpected emails, even if they appear to be plain-text. Encourage them to report any suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart