CVE-2026-48848 | THREATINT

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

PUBLISHED Reserved 2026-05-25 | Published 2026-05-25 | Updated 2026-05-26 | Assigner mitre

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

1.6.0 (semver) before 1.6.16

affected

1.7.0 (semver) before 1.7.1

affected

References

roundcube.net/...026/05/24/security-updates-1.6.16-and-1.7.1

github.com/roundcube/roundcubemail/releases/tag/1.7.1

github.com/...ommit/c960d102472dc579e15907d5bcdc3103a090ccf9

github.com/roundcube/roundcubemail/releases/tag/1.6.16

github.com/...ommit/58e5263f341e6a418774fb6d2643669a3c4d8a27

cve.org (CVE-2026-48848)

nvd.nist.gov (CVE-2026-48848)

Download JSON