Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Stored XSS in Roundcube Webmail linkref_addindex

IdentifiersCVE-2020-35730CWE-79· Improper Neutralization of Input…

CVE-2020-35730 is a stored cross-site scripting vulnerability in Roundcube Webmail affecting versions before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The issue is triggered when an attacker sends a plain-text email containing JavaScript in a link reference element. Roundcube mishandles this content in linkref_addindex within rcube_string_replacer.php, allowing attacker-controlled script to be rendered and executed in the context of the victim’s Roundcube webmail session when the message is viewed. Reporting cited in the provided content indicates the flaw has been exploited in espionage campaigns to run arbitrary JavaScript in the victim’s browser and access mailbox data.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of attacker-supplied JavaScript in the security context of the victim’s authenticated Roundcube session. This can enable theft of email contents, contacts, credentials or session-derived data accessible to the webmail application, and exfiltration of mailbox data. In observed threat activity, the vulnerability was used for reconnaissance, data gathering, and email theft against government, defense, and logistics-related targets. The impact is generally limited to the webmail session/browser context rather than direct host-level compromise, but it can still result in significant compromise of sensitive communications.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting access to Roundcube to trusted networks or VPN users, aggressively filtering or quarantining suspicious inbound emails containing malformed or unexpected link reference content, and using web application protections where feasible to detect or block XSS payload delivery. Administrators should monitor for anomalous outbound requests from Roundcube user sessions, suspicious mailbox access, and signs of email exfiltration. Removing malicious messages from inboxes can prevent retriggering because exploitation occurs when the crafted email is opened.

Remediation

Patch, then assume compromise.

Upgrade Roundcube Webmail to a fixed version: 1.2.13 or later on the 1.2 branch, 1.3.16 or later on the 1.3 branch, or 1.4.10 or later on the 1.4 branch. Apply vendor security updates across all exposed Roundcube instances and verify that all webmail nodes, containers, and packaged deployments are updated consistently. After patching, review mailboxes and web server logs for evidence of malicious emails crafted to trigger XSS, and remove any identified phishing messages from user mailboxes.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
DebianDebian Linuxoperating_system
Fedora ProjectFedoraoperating_system
RoundcubeWebmailapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
dark readingNews
May 19, 2025
'Operation RoundPress' Targets Ukraine in XSS Webmail Attacks

A medium-severity cross-site scripting (XSS) vulnerability in Roundcube webmail software that allows attackers to execute malicious JavaScript in the context of the victim's browser session.

Read more
bleeping computerNews
May 15, 2025
Government webmail hacked via XSS bugs in global spy campaign

A stored cross-site scripting (XSS) vulnerability in Roundcube webmail that allows attacker-supplied JavaScript embedded in an email body to execute in the victim’s webmail session context when the email is viewed, enabling credential and email data theft.

Read more
the hacker newsNews
May 15, 2025
Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

A Roundcube webmail vulnerability reportedly abused by APT28 for reconnaissance and data gathering.

Read more
eset welivesecurity blogNews
Oct 25, 2023
Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers

An older Roundcube Webmail XSS vulnerability reported as exploited by Winter Vivern (Aug–Sep 2023) and also exploited by Sednit/APT28 against similar targets.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2020-35730
NVD
nvd.nist.gov/vuln/detail/CVE-2020-35730
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Patch
github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10
Release Notes
github.com/roundcube/roundcubemail/releases/tag/1.2.13
Release Notes
github.com/roundcube/roundcubemail/releases/tag/1.3.16
Release Notes
github.com/roundcube/roundcubemail/releases/tag/1.4.10
Release Notes
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2
Release Notes
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q
Mailing List
bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491
Product
roundcube.net/download
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-35730