CVE-2025-68461MEDIUM 6.1CISA KEVEPSS p97.1%

CVE-2025-68461RoundCube Webmail Cross-site Scripting Vulnerability

Roundcube / Webmail

Description

RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.

Scoring

CVSS 3.16.1 (MEDIUM)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS19.77% probability of exploitation · percentile 97.1% · 2026-06-19T12:03:05Z
Published2025-12-18
Last modified2026-02-23

CISA KEV entry

Added to KEV: 2026-02-20

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
  2. https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
  3. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68461

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryRoundCube Webmail Cross-site Scripting Vulnerabilitykev-cve-2025-684610%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
CVE
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
CVE
CVE-2026-35545
CVE
Roundcube Webmail Remote Code Execution Vulnerability
CVE
RoundCube Webmail Deserialization of Untrusted Data Vulnerability
CVE
Roundcube Webmail File Disclosure Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.