CVE-2026-48848

Source
https://cve.org/CVERecord?id=CVE-2026-48848
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48848.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48848
Downstream
Related
Published
2026-05-25T19:27:54.841Z
Modified
2026-07-08T08:13:39.566685345Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48848.json",
    "cna_assigner": "mitre",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/roundcube/roundcubemail

Affected ranges

Type
GIT
Repo
https://github.com/roundcube/roundcubemail
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "1.6.0"
        },
        {
            "fixed": "1.6.16"
        },
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.1"
        }
    ]
}

Affected versions

1.*
1.6.0
1.6.1
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48848.json"