PT-2021-5416 · Roundcube+3 · Roundcube+3

Guilhem Moulin

·

Published

2019-11-09

·

Updated

2026-03-12

·

CVE-2021-44026

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions roundcube versions prior to 1.3.17 roundcube versions 1.4.x prior to 1.4.12
Description The issue is related to roundcube, a skinnable AJAX based webmail solution for IMAP servers, which did not properly sanitize requests and mail messages. This would allow an attacker to perform Cross-Side Scripting (XSS) or SQL injection attacks via the search or search params parameters.
Recommendations For versions prior to 1.3.17, upgrade to version 1.3.17 or later. For versions 1.4.x prior to 1.4.12, upgrade to version 1.4.12 or later. As a temporary workaround, consider restricting access to the vulnerable search and search params parameters until a patch is available.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2019-3109
ALT-PU-2020-1898
ALT-PU-2020-2097
ALT-PU-2020-2319
ALT-PU-2020-2367
ALT-PU-2020-2518
ALT-PU-2020-2554
ALT-PU-2020-3561
ALT-PU-2020-3566
ALT-PU-2021-3558
ALT-PU-2022-1073
ALT-PU-2023-6826
ALT-PU-2025-1825
ALT-PU-2025-8283
BDU:2021-06259
BIT-ROUNDCUBE-2021-44026
CVE-2021-44026
DLA-2840-1
DSA-5013-1
MGASA-2022-0039
USN-5182-1

Affected Products

Alt Linux
Linuxmint
Roundcube
Ubuntu