Volerion logoVolerion
Volerion logoVolerion

Roundcube Webmail Stored Cross-Site Scripting Vulnerability in Draft Restore Subject Field

Vulnerability

A stored cross-site scripting vulnerability has been identified in Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The issue arises from an unsanitized subject field in the draft restore dialog, which could lead to HTML and CSS injection in shared mailboxes.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the shared mailbox.

Reproduction

To reproduce this vulnerability, create a draft email in a shared mailbox and enter an unsanitized value in the subject field. When the draft is saved and later restored, the unsanitized subject will be injected as HTML, executing any embedded scripts.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.16 or 1.7.1.

Added: May 26, 2026, 6:38 PM
Updated: May 26, 2026, 6:38 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
1.7
exploitability
5.8
remediation
7.7
relevance
9.4
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.