What the vulnerability does
01Description
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
CVSS base score
7.2/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA mandated remediation
02CISA Required Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Key dates
03Disclosure timeline
December 18, 2025
CVE published
February 26, 2026
Record updated
External resources
04References
NVD — National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2025-68461
CISA KEV Reference
https://roundcube.net/news/2025/12/13/security-updates-1.6.12-…
CISA KEV Reference
https://github.com/roundcube/roundcubemail/commit/bfa032631c36…
CISA KEV Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-68461
Related vulnerabilities
05Related CVE
CVE-2026-23752 GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter
CVE-2024-7388 WP Bannerize Pro <= 1.9.0 - Authenticated (Editor+) Stored Cross-Site Scripting
CVE-2025-22524 WordPress فرم ساز فرم افزار Plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability
CVE-2024-1057 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2023-2340 Cross-site Scripting (XSS) - Stored in pimcore/pimcore
