Roundcube CVE-2025-68461 XSS

CVE-2025-68461 is a high-severity Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail that allows attackers to inject malicious JavaScript via specially crafted SVG animate tags. The flaw affects versions before 1.5.12 and 1.6.12, enabling account takeover through a single malicious email. With a CVSS score of 7.2, it requires no authentication and no user interaction beyond viewing the email. Attackers exploit improper input neutralization in SVG document handling to execute scripts in victim browsers, capturing session tokens and credentials. Patches are available but adoption remains incomplete across hosting providers.