CVE-2026-48849
MEDIUM
NVD
CVSS Score
4.4
Severity
MEDIUM
Published
May 25, 2026
Vendor
unknown
Description
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
References
- https://github.com/roundcube/roundcubemail/commit/189d30a4890319cd687df959ca9f768a3a613d61
- https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
- https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
- https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1