CVE-2026-26079

Published: Feb 11, 2026

Modified: Feb 11, 2026

PUBLISHED

CVSS v3.1

4.7

MEDIUM

Description

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

Vendor	Product	Versions
Roundcube	Webmail	affected `0 - < 1.5.13` affected `1.6.0 - < 1.6.13`

Weaknesses (CWE)

CWE-829

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13

https://github.com/roundcube/roundcubemail/releases/tag/1.6.13

https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816

https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447

https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01

https://github.com/roundcube/roundcubemail/releases/tag/1.5.13

https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954

https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5

https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-26079

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References