Roundcube Alert: High-Severity SVG XSS and CSS Sanitizer Flaws Threaten Webmail Privacy
Ddos 
The maintainers of Roundcube Webmail, one of the world’s most widely used open-source email solutions, have issued security updates for their 1.6 and 1.5 LTS branches. The patches address two high-severity vulnerabilities that could allow attackers to execute malicious scripts or leak sensitive information through innocent-looking emails.
Both flaws carry a CVSS score of 7.2, marking them as “High” severity risks that administrators should address immediately.
The first vulnerability, tracked as CVE-2025-68461, is a Cross-Site Scripting (XSS) flaw hidden within the handling of Scalable Vector Graphics (SVG) images. Discovered by researcher Valentin T. from CrowdStrike, the exploit leverages the <animate> tag within an SVG file.
By crafting a malicious email containing a specially prepared SVG, an attacker could trigger JavaScript execution in the victim’s browser the moment the image is viewed. In a webmail context, XSS is particularly dangerous, as it can often be used to steal session cookies, hijack accounts, or redirect users to phishing sites without their knowledge.
The second flaw targets the privacy of the inbox itself. Tracking as CVE-2025-68460, this Information Disclosure vulnerability resides in Roundcube’s HTML style sanitizer.
Reported by a researcher going by the handle somerandomdev, the bug allows attackers to bypass the sanitizer’s filters. While the specific mechanics are technical, the outcome is clear: improper handling of CSS styles could be abused to infer or exfiltrate data from the webmail interface.
Roundcube has released patches for both supported lines. Administrators are urged to upgrade to the latest releases in the 1.6 and 1.5 LTS series immediately to close these vectors.
Donate