CVE-2026-48849

Published May 25th, 2026

View on NVD ↗

CVSS v3

4.4

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

roundcube/roundcubemail

The Roundcube Webmail suite

GitHub