HIGHCVE-2026-48848Published Modified CNA mitre
CVE-2026-48848: Roundcube Webmail 1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
Metrics
- CVSS v3.1
- 7.2
- Severity
- HIGH
- Fixed in
- 1.6.16
- Affected Products
- 1
Fix available
1.6.161.7.1
Affected packages
- Roundcube / Webmail< 1.6.16 (from 1.6.0) · < 1.7.1 (from 1.7.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N