AI description
Automated description summarized from trusted sources.
CVE-2026-48849 describes a stored Cross-Site Scripting (XSS) vulnerability found in Roundcube Webmail. Specifically, versions prior to 1.6.16 and 1.7.1 are affected. The flaw stems from an unsanitized subject field when restoring a draft message in shared mailboxes. This vulnerability allows for the injection of malicious HTML or CSS code. When a user opens a message with a crafted subject in a shared mailbox, the injected code can be executed within their browser context. The issue is categorized as an improper neutralization of input during web page generation (CWE-79).
- Description
- In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
- Source
- cve@mitre.org
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 4.4
- Impact score
- 2.7
- Exploitability score
- 1.3
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- cve@mitre.org
- CWE-79
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
9