{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-26079", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-11T04:27:24.001Z", "datePublished": "2026-02-11T04:27:24.156Z", "dateUpdated": "2026-02-11T16:06:28.336Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.13", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.13", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-11T04:44:01.342Z"}, "references": [{"url": "https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"}, {"url": "https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"}, {"url": "https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"}, {"url": "https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "1.6.13"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T16:05:48.013957Z", "id": "CVE-2026-26079", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T16:06:28.336Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26079", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T16:05:48.013957Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T16:06:12.910Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Roundcube", "product": "Webmail", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.13", "versionType": "semver"}, {"status": "affected", "version": "1.6.0", "lessThan": "1.6.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"}, {"url": "https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"}, {"url": "https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"}, {"url": "https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.5.13"}, {"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.6.13", "versionStartIncluding": "1.6.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-11T04:44:01.342Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26079", "state": "PUBLISHED", "dateUpdated": "2026-02-11T16:06:28.336Z", "dateReserved": "2026-02-11T04:27:24.001Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-11T04:27:24.156Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled."}, {"lang": "es", "value": "Roundcube Webmail anterior a 1.5.13 y 1.6 anterior a 1.6.13 permite la inyecci\u00f3n de Hojas de Estilo en Cascada (CSS), por ejemplo, debido a que los comentarios se manejan incorrectamente."}], "id": "CVE-2026-26079", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-11T05:16:28.650", "references": [{"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"}, {"source": "cve@mitre.org", "url": "https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments", "id": "2438807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438807"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Roundcube Webmail. This vulnerability allows for Cascading Style Sheets (CSS) injection, a technique where an attacker can inject malicious styling code into a web page. This occurs due to the application mishandling comments. Successful exploitation could lead to the disclosure of sensitive information."], "mitigation": {"lang": "en:us", "value": "For deployments of Roundcube Webmail, restrict access to the webmail interface to trusted networks or users. Additionally, users should exercise caution when opening emails from untrusted or suspicious sources, as this vulnerability requires processing of malicious CSS within email content."}, "name": "CVE-2026-26079", "public_date": "2026-02-11T04:27:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26079\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26079\nhttps://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816\nhttps://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447\nhttps://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01\nhttps://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5\nhttps://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954\nhttps://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.5.13\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.6.13\nhttps://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"], "statement": "MODERATE: This flaw in Roundcube Webmail allows for Cascading Style Sheets (CSS) injection due to mishandled comments. This could potentially lead to information disclosure or defacement within the webmail interface when processing specially crafted email content.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.13)"}}], "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-17T20:25:22.137780+00:00", "value": {"mitigation_remediation": ["Upgrade Roundcube Webmail to version\u202f1.5.13 or later\u202f1.6.13.", "If an upgrade cannot be performed immediately, block or sanitize user input that could be interpreted as CSS comments or styles, preventing malformed comments from reaching the output.", "Configure a Content Security Policy that restricts the use of inline styles and disallows user\u2011supplied CSS.", "Review plugins and extensions for potential comment injection vectors and disable any that are unnecessary."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting via CSS injection"}, "threat_synthesis": {"affected_systems": "Roundcube Webmail versions before 1.5.13 and before 1.6.13 deployed by Roundcube:Webmail are affected. The bug exists in all affected releases regardless of installation base and can impact any instance where user\u2011generated content is rendered.", "description_and_impact": "Roundcube Webmail contains a bug that allows attackers to inject arbitrary Cascading Style Sheets through mishandled comments. The flaw can be used to alter the appearance of mail messages, overlay malicious content, or create phishing interfaces without needing to execute JavaScript. This is reflected in CWE\u201179 (XSS) and CWE\u2011829 (permissions mismatch) and may compromise user interaction and trust in the webmail client.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.7, indicating moderate severity. The EPSS score is less than 1\u2009%, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation activity to date. Attackers would likely need to inject malicious CSS into a user\u2019s mailbox or a public page in the webmail interface, typically requiring the victim to view the crafted content. The availability of an easy remediation path reduces the overall risk for organizations that apply the update in a timely manner."}}}}, "created": "2026-02-11T21:46:13.498442+00:00", "updated": "2026-04-17T20:30:15.814049+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}