TL;DR
Roundcube shipped versions 1.7.2 and 1.6.17 to fix six security bugs. The headline flaw is a Roundcube zero-click XSS, tracked as CVE-2026-54433, in plain-text message rendering. The update also closes a second stored XSS, an SSRF bypass, and three more issues.
Why It Matters
Roundcube runs on countless self-hosted mail servers. So a zero-click bug is dangerous, because the victim only has to open the email. From there, an attacker can run script inside the mailbox session. That access can steal messages, contacts, or the account password. In February 2026, CISA added earlier Roundcube XSS flaws to its Known Exploited Vulnerabilities catalog. That history raises the stakes here. Still, no in-the-wild exploitation has been reported for these two bugs.
How the Attack Works
CVE-2026-54433 sits in how Roundcube renders plain-text email. The renderer fails to escape crafted content, so script runs on view. Plain-text view feels safe, so this vector is easy to overlook. Meanwhile, CVE-2026-54432 stems from an unescaped attachment MIME type on the warning page. Together, they let a malicious email plant a Roundcube zero-click XSS or a click-based one. The team also closed SSRF bypasses and two denial-of-service bugs in the TNEF decoder.
Affected Versions
The flaws affect Roundcube before 1.7.2 and before 1.6.17. Bohdan Kurinnoy of Samsung R&D Institute Ukraine reported both XSS issues. Independent researchers reported the SSRF, password, and TNEF bugs. Roundcube calls the release stable and urges every production site to upgrade.
Patch and Mitigation
Update now to close this Roundcube zero-click XSS. The Roundcube 1.7.2 release lists every fix. Back up your data first, then upgrade all production installs. No workaround replaces the patch.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.