External risk intelligence

Roundcube Webmail Stored XSS via Crafted Email

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-54433

Roundcube Webmail is a public-facing email client application designed to be accessible via the internet for users to access their email accounts. As a webmail service, it functions as a primary, internet-accessible interface for email management, making its attack surface inherently public-facing by design.

Cross-site Scripting

Roundcube Webmail

before 1.6.171.7.0 to before 1.7.2

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical security vulnerability in Roundcube Webmail that allows attackers to execute malicious code on a user's session by sending a specially crafted email. This type of attack, known as Stored Cross-Site Scripting (XSS), is particularly concerning because it can occur with zero user interaction, simply by opening or previewing an affected message, potentially leading to unauthorized access or data compromise. The main concern is confirming the relevance and exposure of this vulnerability within our environment.

  • Malicious emails can run code in user sessions.
  • Zero-click execution impacts many users easily.
  • Verify if our systems use affected Roundcube versions.

Attack Path

How an attacker could exploit the issue

An attacker can send a specially crafted plain-text email to a user. When the victim opens or previews this email, malicious JavaScript embedded within it will run. This JavaScript executes with the victim's privileges, potentially leading to significant data compromise.

  • Requires sending an email.
  • Triggered by opening an email.
  • Risk of sensitive data exposure.

Live Threat

Current exploitation, exposure, and threat context

When a user opens or previews a specially crafted plain-text email, attacker-controlled JavaScript could execute within their authenticated session. This could potentially affect sensitive information displayed or accessible through the user's email interface when Roundcube Webmail is used in supported configurations.

  • User session data.
  • Via opening/previewing emails.
  • Session hijacking or data theft.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical stored XSS vulnerability in Roundcube Webmail, exploitable via zero-click through crafted plain-text emails, requires immediate attention from teams managing webmail services and infrastructure. The first practical step is to identify all instances of Roundcube Webmail, assess their internet reachability and business criticality, and then pinpoint the accountable owner for remediation planning.

  • Application and infrastructure teams own this.
  • Verify internet-facing instances.
  • Plan and coordinate vendor-supported updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Roundcube Webmail?

Roundcube Webmail is a widely used, browser-based email client. It allows users to read, manage, and compose emails through a web interface. Because it acts as an intermediary between a user and their email server, it must be able to render various types of email content securely. Organizations typically host this software on their own servers to provide employees or customers with a familiar, desktop-like experience for accessing their inbox from any internet-connected device.

What does CVE-2026-54433 mean?

This CVE identifies a Stored Cross-Site Scripting (XSS) vulnerability. XSS occurs when an application improperly handles user-provided data, allowing a malicious script to be saved and later executed in another user's browser. In this specific case, the weakness (CWE-79) allows an attacker to embed JavaScript within a plain-text email. When the victim views that message, the browser treats the malicious code as if it were legitimate part of the Roundcube application.

How is this vulnerability triggered?

An attacker triggers this by sending a specially crafted plain-text email to a target. The vulnerability is triggered immediately when the victim opens or previews the message, meaning no clicks on links or downloads are required for the code to run. It is important to note that this does not occur if the email remains in an unread or unviewed state in the inbox; the malicious code only executes when the application attempts to render the message body for the user.

Is my Roundcube instance at risk?

If you are running an affected version, your risk level is elevated because the Halo Surface Signal identifies Roundcube as a public-facing application. Since webmail services are designed to be reachable via the internet to allow remote access, they are inherently exposed to incoming email from any source. This makes it possible for external actors to deliver the malicious payload directly to your users' accounts without needing prior access to your internal network.

How do I respond to this vulnerability?

Begin by auditing your infrastructure to identify all instances of Roundcube Webmail and verify their specific version numbers. If you are running a version before 1.6.17 or within the 1.7.0 to 1.7.1 range, you are affected. Once identified, coordinate with your system owners to schedule the application of vendor-provided updates. Prioritize instances that are internet-facing, as these represent the most immediate path for an attacker to deliver the malicious payload to your users.

References