CVE-2026-48848 HIGH

CVE-2026-48848

Vendor Roundcube

Product Webmail

Weakness CWE-79 · XSS

Published May 25, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

Key dates

02Disclosure timeline

May 25, 2026 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-48848

Related vulnerabilities

04Related CVE

CVE-2024-37229 WordPress Blogmentor – Blog Layouts for Elementor plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability CVE-2026-1666 Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter CVE-2024-0508 Orbit Fox by ThemeIsle <= 2.10.27 - Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget CVE-2022-40743 Apache Traffic Server: Security issues with the xdebug plugin CVE-2026-1630 Reflected XSS in WEBCON BPS

Identifiers

CVE CVE-2026-48848

CWE CWE-79

CVSS 7.2 / HIGH

Affected versions

Vendor Roundcube

Product Webmail

Affected ≥ 1.6.0 and < 1.6.16

Vendor Roundcube

Product Webmail

Affected ≥ 1.7.0 and < 1.7.1