CVE-2025-68461

CVSS 7.2 HIGHEPSS 19.8%● KEVCWE-79

In short

Roundcube Webmail allows attackers to inject malicious scripts through SVG files with animate tags, which can steal user data or take actions on their behalf when viewing emails.

Technical detail

Reflected/stored XSS vulnerability in SVG parsing (animate tag) allows unauthenticated or authenticated attackers to execute arbitrary JavaScript in victim's browser context. Attack vector: malicious SVG attachment or inline SVG in email; impact: session hijacking, credential theft, unauthorized actions.

Summary generated and translated by AI from the official description.

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products

Roundcube · Webmail

public PoCs found — 2

githubgithub.com/rxerium/CVE-2025-68461★ 16 githubgithub.com/gotr00t0day/CVE-2025-68461★ 6

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68461