Roundcube : Security Vulnerabilities, CVEs, CVSS score >= 9
CVE-2021-44026
Known exploited
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Max CVSS
9.8
EPSS Score
0.59%
Published
2021-11-19
Updated
2021-12-16
CISA KEV Added
2023-06-22
CVE-2020-12641
Known exploited
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Max CVSS
9.8
EPSS Score
9.12%
Published
2020-05-04
Updated
2022-04-29
CISA KEV Added
2023-06-22
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
Max CVSS
9.8
EPSS Score
1.16%
Published
2020-05-04
Updated
2022-09-02
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
Max CVSS
9.0
EPSS Score
0.31%
Published
2017-01-30
Updated
2018-10-30
CVE-2008-5619
Public exploit
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
Max CVSS
10.0
EPSS Score
88.65%
Published
2008-12-17
Updated
2018-10-11
5 vulnerabilities found