Primary

Context

Roundcube Webmail Information Disclosure Vulnerability in HTML Style Sanitizer

Vulnerability

Patched

A vulnerability allowing information disclosure has been identified in Roundcube Webmail versions prior to 1.5.12 and 1.6 prior to 1.6.12. The issue arises in the HTML style sanitizer, where improper handling of style content could lead to unintended information exposure.

Impact

Exploitation of this vulnerability could result in unauthorized information disclosure.

Reproduction

The vulnerability can be reproduced by crafting a style block that includes 'page:' properties or SVG elements, which the sanitizer fails to process correctly. This can be done by embedding such content within a div style, effectively bypassing the intended sanitization and potentially leading to information leakage.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.12 or 1.5.12.

Added: Dec 18, 2025, 5:18 AM

Updated: Dec 18, 2025, 5:18 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

1.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

1.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roundcube Webmail Information Disclosure Vulnerability in HTML Style Sanitizer

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Roundcube Webmail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating