CVE-2026-26079 — MEDIUM (4.7)

Vulnerability Description

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

CVSS Score

4.7

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Related Weaknesses (CWE)

CWE-829

References

https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd
https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52
https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c2
https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a55
https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6b
https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8f
https://github.com/roundcube/roundcubemail/releases/tag/1.5.13
https://github.com/roundcube/roundcubemail/releases/tag/1.6.13
https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13

FAQ

What is CVE-2026-26079?

CVE-2026-26079 is a vulnerability with a CVSS score of 4.7 (MEDIUM). Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

How severe is CVE-2026-26079?

CVE-2026-26079 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-26079?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.