CVE-2026-48848

Published May 25th, 2026

View on NVD ↗

CVSS v3

7.2

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

roundcube/roundcubemail

The Roundcube Webmail suite

GitHub