CVE-2026-48849
MEDIUM
CVSS 4.4
No EPSS data
Description
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-48849",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "cve@mitre.org",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 4.4,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "REQUIRED",
"attackComplexity": "HIGH",
"availabilityImpact": "NONE",
"privilegesRequired": "LOW",
"confidentialityImpact": "LOW"
},
"impactScore": 2.7,
"exploitabilityScore": 1.3
}
]
},
"published": "2026-05-25T20:16:37.540",
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/commit/189d30a4890319cd687df959ca9f768a3a613d61",
"source": "cve@mitre.org"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a",
"source": "cve@mitre.org"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16",
"source": "cve@mitre.org"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1",
"source": "cve@mitre.org"
},
{
"url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1",
"source": "cve@mitre.org"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"type": "Primary",
"source": "cve@mitre.org",
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes."
}
],
"lastModified": "2026-05-26T19:26:42.643",
"sourceIdentifier": "cve@mitre.org"
}
}