Home > Vulnerability Database > CVE-2026-26079

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2026-26079

Good to know:

Date: February 10, 2026

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

Severity Score

4.7

Related Resources (11)

Url: https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01

Url: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13

Url: https://github.com/roundcube/roundcubemail/releases/tag/1.6.13

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-26079

Url: https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816

Url: https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447

Url: https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5

Url: https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde

Url: https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954

Url: https://github.com/roundcube/roundcubemail/releases/tag/1.5.13

Url: https://www.mend.io/vulnerability-database/CVE-2026-26079

Severity Score

4.7

Weakness Type (CWE)

Inclusion of Functionality from Untrusted Control Sphere

CWE-829

Top Fix

Upgrade Version

Upgrade to version https://github.com/roundcube/roundcubemail.git - 1.6.13;https://github.com/roundcube/roundcubemail.git - 1.5.13

CVSS v3.1

Base Score:	4.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Do you need more information?

Contact Us