Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Roundcube Webmail SVG animate tag XSS

IdentifiersCVE-2025-68461CWE-79· Improper Neutralization of Input…

CVE-2025-68461 is a cross-site scripting vulnerability in Roundcube Webmail affecting versions before 1.5.12 and 1.6.x before 1.6.12. The flaw is triggered via the animate tag in an SVG document, indicating insufficient sanitization or filtering of active content embedded in SVG during message or content rendering. By supplying crafted SVG content containing a malicious animate element, an attacker can cause script execution in the context of the Roundcube Webmail application within a victim’s browser session. The issue was reported by Valentin T. of CrowdStrike and fixed by Roundcube in the December 2025 security updates.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of attacker-controlled JavaScript in the victim’s browser in the security context of Roundcube Webmail. This can enable session hijacking, credential theft, access to mailbox contents available to the victim, exfiltration of sensitive data, and performance of unauthorized actions through the victim’s authenticated session. The vulnerability has also been reported as actively exploited in the wild and added to CISA’s KEV catalog.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by blocking or stripping untrusted SVG content, especially SVG documents containing animate elements, before rendering in Roundcube. Additional compensating controls may include WAF or content-filtering rules targeting SVG/animate payloads, restricting exposure of the webmail interface, and advising users to avoid opening untrusted or suspicious content until patched. No complete vendor workaround is provided in the supplied content.

Remediation

Patch, then assume compromise.

Upgrade Roundcube Webmail to a fixed release: 1.5.12 or later on the 1.5 branch, or 1.6.12 or later on the 1.6 branch. Roundcube’s December 2025 security updates address this issue, and downstream distributions should apply their vendor-provided patched packages where applicable.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
RoundcubeWebmailapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

38 SOURCESView more in app
checkpoint research blogNews
Mar 2, 2026
2nd March - Threat Intelligence Report - Check Point Research

An unauthenticated cross-site scripting vulnerability in Roundcube Webmail that is listed as exploited in the wild.

Read more
cyber security newsNews
Feb 23, 2026
CISA Warns of Multiple Roundcube Vulnerabilities Exploited in Attacks

A high-severity cross-site scripting (XSS) vulnerability in the Roundcube Webmail web interface/input handling that can allow script injection leading to session hijacking or data theft.

Read more
security weekNews
Feb 23, 2026
Recent RoundCube Webmail Vulnerability Exploited in Attacks - SecurityWeek

Cross-site scripting (XSS) vulnerability in RoundCube Webmail via unsanitized malicious payloads embedded in the SVG animate tag, enabling script execution in the victim’s browser context without user interaction.

Read more
gbhackersNews
Feb 23, 2026
CISA Warns of Actively Exploited Roundcube Vulnerabilities

A stored cross-site scripting (XSS) vulnerability in Roundcube Webmail’s message rendering that can enable session hijacking and credential theft when malicious email content is rendered.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity26

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-68461
NVD
nvd.nist.gov/vuln/detail/CVE-2025-68461
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Patch
github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
Vendor Advisory
roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68461