Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 14 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page. | |
| First Time appeared |
Roundcube
Roundcube webmail |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Roundcube
Roundcube webmail |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-14T16:21:55.409Z
Reserved: 2026-06-15T13:27:41.810Z
Link: CVE-2026-54432
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T17:30:04Z
Weaknesses