Roundcube Webmail
Moderate fix2 remedies
cpe:2.3:a:roundcube:roundcube:*:*:*:*:*:*:*, +2 more
Moderate fix2 remedies
- < 1.5.13
- < 1.6.13
Roundcube Webmail CSS Injection Vulnerability
Vulnerability
Patched
A CSS injection vulnerability has been identified in Roundcube Webmail versions prior to 1.5.13 and 1.6 through 1.6.13. The issue arises from improper handling of comments, which can be exploited to inject malicious styles.
Impact
Exploitation of this vulnerability allows for CSS injection, which could be used to manipulate the appearance of the webmail interface or potentially exploit other vulnerabilities, such as the previously reported remote image blocking bypass via SVG content.
Reproduction
The vulnerability can be reproduced by uploading a CSS style that includes comments. The 'mod_css_styles' function in 'rcube_utils.php' can be used to test the injection. After the comments are removed, any remaining CSS comments are treated as a sign of a potential injection, indicating that the vulnerability exists.
Remediation
Users are advised to update to Roundcube Webmail versions 1.5.13 or 1.6.13.
Added: Feb 11, 2026, 5:22 AM
Updated: Feb 11, 2026, 5:22 AM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
0.2exploitability
7.6remediation
7.7relevance
2.7threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.