CVE-2026-48848 PUBLISHED

Assigner: mitre
Reserved: 25.05.2026 Published: 25.05.2026 Updated: 26.05.2026

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 7.2

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Roundcube
Product	Webmail
Versions	Default: unaffected affected from 1.6.0 to 1.6.16 (excl.) affected from 1.7.0 to 1.7.1 (excl.)

References

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE