CVE-2023-5631 MEDIUM

CVE-2023-5631: Stored XSS vulnerability in Roundcube

Vendor Roundcube
Product Roundcubemail
Weakness CWE-79 · XSS
KEV Status Known Exploited
Published October 18, 2023
Last update October 21, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

October 18, 2023 CVE published
October 21, 2025 Record updated

Related vulnerabilities

05Related CVE

CVE-2024-32145 WordPress WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics plugin <= 2.8.0 - Reflected Cross-Site Scripting vulnerability CVE-2024-32690 WordPress RSS Feed Widget plugin <= 2.9.7 - Cross Site Scripting (XSS) vulnerability CVE-2023-40024 Reflected Cross-Site Scripting (XSS) in scancode.io license endpoint CVE-2025-68847 WordPress iSape plugin <= 0.72 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-4645 SourceCodester Prison Management System changepassword.php cross site scripting