New Roundcube Webmail Vulnerabilities Disclosed : IMAP Command Injection and SSRF via CSS Proxying.
A deep dive into two critical vulnerabilities uncovered in Roundcube Webmail (< 1.6.14, 1.5.14, 1.7 RC4) during a source code review. OVE-2026-8 allows authenticated attackers to inject arbitrary IMAP commands via the _filter parameter due to missing CRLF sanitization. OVE-2026-9 enables Server-Side Request Forgery (SSRF) by exploiting the CSS proxying mechanism, allowing access to internal network resources and cloud metadata.
Wed 08 April 2026
CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution
A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code executio...
Wed 01 April 2026
Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass
A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerabilit...
Tue 17 March 2026
CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability
A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerabil...
Wed 04 March 2026
CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing
A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution vulnerability in the Unstructured Python library (< 0.18.18). Unsanitized attachment filenames in Outlook MSG processing allow for path traversal, enabling an attacker to overwrite arbitrary files via a crafted MSG file and achieve code execution.