CVE-2025-68461

CVSS v3.1

7.2

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.5.12 Roundcube versions prior to 1.6.12

Description Roundcube Webmail is susceptible to a Cross-Site Scripting (XSS) issue through the

animate

tag within SVG documents. Additionally, an Information Disclosure issue exists in the HTML style sanitizer. Exploitation of the XSS issue could potentially allow an attacker to silently compromise email accounts. The vulnerability is related to how Roundcube processes SVG files, specifically the

animate

tag, allowing malicious code execution.

Recommendations Roundcube versions prior to 1.5.12: Upgrade to version 1.5.12 or later. Roundcube versions prior to 1.6.12: Upgrade to version 1.6.12 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2025-68461

DLA-4415-1

DSA-6087-1

MGASA-2025-0332

Affected Products

Debian

Roundcube Webmail

CVE-2025-68461

Weakness Enumeration

Related Identifiers

Affected Products

References · 63