CVE-2026-48848

high

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

References

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

https://github.com/roundcube/roundcubemail/releases/tag/1.7.1

https://github.com/roundcube/roundcubemail/releases/tag/1.6.16

https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9

https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27

Details

Source: Mitre, NVD

Published: 2026-05-25

Updated: 2026-05-26

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 7.2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Severity: High

EPSS

EPSS: 0.00044

Detections

Analytics