securityonline.info 7/10/2026, 3:41:04 AM · external

Roundcube fixes zero click XSS bug CVE-2026-54433 in new update

Roundcube fixes zero click XSS bug CVE-2026-54433 in new update
CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Not in KEV
Patch Patch Status Unknown

ROUNDCUBE has released versions 1.7.2 and 1.6.17 to patch six security flaws, including a significant zero-click XSS vulnerability tracked as CVE-2026-54433, which affects how plain-text emails are rendered. This vulnerability can allow attackers to execute scripts without user interaction, threatening users' message integrity and account security. Other addressed issues include a stored XSS and an SSRF bypass.

Users of affected versions prior to 1.7.2 and 1.6.17 are urged to update immediately to secure their installations, as these vulnerabilities may lead to unauthorized access to sensitive data. No real-world exploitation of these issues has been reported yet.

View Primary Source Via securityonline.info

Article by CyberSIXT