COOEY // HUBcompliance · community · intelligence

FAIL › dossier

Roundcube vendor

11
failure events
0
zero-days
2
RCEs
11
on KEV
0
critical
65
worst shame

Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.

Failure history 11 events

DateEventSevFlagsShameSummary
2026-02-20 CVE-2025-49113 high ⚡RCE ⌖KEV 65 RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
2023-06-22 CVE-2020-12641 high ⚡RCE ⌖KEV 65 Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
2026-02-20 CVE-2025-68461 high ⌖KEV 50 RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.
2025-06-09 CVE-2024-42009 high ⌖KEV 50 RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
2024-10-24 CVE-2024-37383 high ⌖KEV 50 RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.
2024-06-26 CVE-2020-13965 high ⌖KEV 50 Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.
2024-02-12 CVE-2023-43770 high ⌖KEV 50 Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.
2023-10-26 CVE-2023-5631 high ⌖KEV 50 Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.
2023-06-22 CVE-2021-44026 high ⌖KEV 50 Roundcube Webmail is vulnerable to SQL injection via search or search_params.
2023-06-22 CVE-2020-35730 high ⌖KEV 50 Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
2021-11-03 CVE-2017-16651 high ⌖KEV 50 Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default.