Volerion logoVolerion
Volerion logoVolerion

Actively Exploited in the Wild

This vulnerability is being actively exploited in the wild.

Roundcube Webmail Cross-Site Scripting Vulnerability via SVG Animate Tag

Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in Roundcube Webmail versions prior to 1.5.12 and 1.6 through 1.6.12. The issue arises from the handling of the animate tag within SVG documents, which can be exploited to inject malicious scripts.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create an SVG file that includes an animate tag. The animate tag can be used to reference JavaScript URLs, such as 'javascript:alert(1)'. When this SVG is processed by Roundcube Webmail, the injected script will be executed, demonstrating the Cross-Site Scripting vulnerability.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.12 or 1.5.12.

Added: Dec 18, 2025, 5:17 AM
Updated: Feb 20, 2026, 7:51 PM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
1.7
exploitability
8.3
remediation
7.7
relevance
1.5
threat
8.1
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.