CVE-2026-26079

Summary

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

Affected Software

VendorProductVersion RangeStatus
RoundcubeWebmail0 < 1.5.13affected
RoundcubeWebmail1.6.0 < 1.6.13affected

Weaknesses

  • CWE-829: CWE-829 Inclusion of Functionality from Untrusted Control Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References