CVE-2026-54432

medium
Published 2026-07-14 · Modified 2026-07-14
CVSS v3
4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v4 NEW
—
not yet in upstream
VIR risk
4.7

Description

Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 allows Stored Cross-Site Scripting (XSS). The issue occurs because the attachment MIME type is not properly escaped on the attachment-validation warning page.

Predictions

Exploit likelihood
57%
Patch ETA
—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-54432 NameCVE-2026-54432 SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Debian Bugs1141495 Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus roundcube (PTS)bullseye1.4.15+dfsg.1-1+deb11u4vulnerable bullseye…

CVE-2026-54432

NameCVE-2026-54432
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1141495

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
roundcube (PTS)bullseye1.4.15+dfsg.1-1+deb11u4vulnerable
bullseye (security)1.4.15+dfsg.1-1+deb11u9vulnerable
bookworm1.6.5+dfsg-1+deb12u8vulnerable
bookworm (security)1.6.5+dfsg-1+deb12u9vulnerable
trixie1.6.15+dfsg-0+deb13u1vulnerable
trixie (security)1.6.16+dfsg-0+deb13u1vulnerable
forky, sid1.6.16+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
roundcubesource(unstable)(unfixed)1141495

Notes

https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e4393d32abb157cb2a568 (1.6.17)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e4393d32abb157cb2a568 (1.6.17)

OS impact

debian Debian Mixed 5 releases
VersionStatusFixed in
trixie Affected —
sid Fixed 1.6.17+dfsg-1
forky Fixed 1.6.17+dfsg-1
bullseye Affected —
bookworm Affected —

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.