CVE-2025-68461

CVSS v3.1

7.2

High

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.5.12 Roundcube versions prior to 1.6.12

Description Roundcube Webmail contains a Cross-Site Scripting (XSS) issue stemming from the use of the animate tag within SVG documents. This allows attackers to execute malicious scripts. Additionally, an Information Disclosure issue exists in the HTML style sanitizer. The issue is actively exploited and could lead to email account takeover. There is no information available regarding the number of affected devices.

Recommendations Roundcube versions prior to 1.5.12 should be updated to version 1.5.12 or later. Roundcube versions prior to 1.6.12 should be updated to version 1.6.12 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2026-03414

CVE-2025-68461

DLA-4415-1

DSA-6087-1

MGASA-2025-0332

OPENSUSE-SU-2026:20323-1

USN-8097-1

Affected Products

Debian

Linuxmint

Red Os

Roundcube Webmail

Ubuntu

CVE-2025-68461

Weakness Enumeration

Related Identifiers

Affected Products

References · 87