Tag
Roundcube
Roundcube Webmail Vulnerabilities Disclosed : IMAP Command Injection (OVE-2026-8) & SSRF via CSS Proxying (OVE-2026-9) - PoC & Exploit
A deep dive into two critical vulnerabilities uncovered in Roundcube Webmail (< 1.6.14, 1.5.14, 1.7 RC4) during a source code review. OVE-2026-8 allows authenticated attackers to inject arbitrary IMAP commands via the _filter parameter due to missing CRLF sanitization. OVE-2026-9 enables Server-Side Request Forgery (SSRF) by exploiting the CSS proxying mechanism, allowing access to internal network resources and cloud metadata.
Wed 08 April 2026
Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass
A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerabilit...
Tue 17 March 2026