{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-26079", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-11T04:27:24.001Z", "datePublished": "2026-02-11T04:27:24.156Z", "dateUpdated": "2026-02-11T16:06:28.336Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.13", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.13", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-11T04:44:01.342Z"}, "references": [{"url": "https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"}, {"url": "https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"}, {"url": "https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"}, {"url": "https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "1.6.13"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T16:05:48.013957Z", "id": "CVE-2026-26079", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T16:06:28.336Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-26079", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-11T04:27:24.001Z", "datePublished": "2026-02-11T04:27:24.156Z", "dateUpdated": "2026-02-11T16:06:28.336Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.13", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.13", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-11T04:44:01.342Z"}, "references": [{"url": "https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"}, {"url": "https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"}, {"url": "https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"}, {"url": "https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"}, {"url": "https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "1.6.13"}]}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26079", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T16:05:48.013957Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T16:06:12.910Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled."}], "id": "CVE-2026-26079", "lastModified": "2026-02-11T15:27:26.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-11T05:16:28.650", "references": [{"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"}, {"source": "cve@mitre.org", "url": "https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments", "id": "2438807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438807"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Roundcube Webmail. This vulnerability allows for Cascading Style Sheets (CSS) injection, a technique where an attacker can inject malicious styling code into a web page. This occurs due to the application mishandling comments. Successful exploitation could lead to the disclosure of sensitive information."], "mitigation": {"lang": "en:us", "value": "For deployments of Roundcube Webmail, restrict access to the webmail interface to trusted networks or users. Additionally, users should exercise caution when opening emails from untrusted or suspicious sources, as this vulnerability requires processing of malicious CSS within email content."}, "name": "CVE-2026-26079", "public_date": "2026-02-11T04:27:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26079\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26079\nhttps://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816\nhttps://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447\nhttps://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01\nhttps://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5\nhttps://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954\nhttps://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.5.13\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.6.13\nhttps://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"], "statement": "MODERATE: This flaw in Roundcube Webmail allows for Cascading Style Sheets (CSS) injection due to mishandled comments. This could potentially lead to information disclosure or defacement within the webmail interface when processing specially crafted email content.", "threat_severity": "Moderate"}

{}