#VU124142 Stored cross-site scripting in Roundcube Webmail
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124142
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Roundcube Webmail
Roundcube Webmail
Software vendor:
Roundcube
Roundcube
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript via a malicious HTML attachment preview.
The vulnerability exists due to improper input validation in HTML attachment preview component when rendering HTML attachments. A remote attacker can send a specially crafted HTML file as an attachment which, when previewed, executes arbitrary scripts in the context of the user's session.
User interaction is required to trigger the preview, but no additional authentication or privileges are needed once the attachment is opened.
Remediation
Install security update from vendor's website.