Roundcube CVE-2025-68461 XSS

CVE-2025-68461 is a high-severity Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail that allows attackers to inject malicious JavaScript via specially crafted SVG animate tags. The flaw affects versions before 1.5.12 and 1.6.12, enabling account takeover through a single malicious email. With a CVSS score of 7.2, it requires no authentication and no user interaction beyond viewing the email. Attackers exploit improper input neutralization in SVG document handling to execute scripts in victim browsers, capturing session tokens and credentials. Patches are available but adoption remains incomplete across hosting providers.

Roundcube CVE-2025-68461: SVG XSS Vulnerability Enables Silent Email Account Takeover Through Malicious Animate Tags

Jan 4, 2026

—

by

Elles De Yeager

in Cyber News & Updates

Roundcube Webmail contains a Cross-Site Scripting vulnerability (CVE-2025-68461, CVSS 7.2) that enables attackers to hijack email accounts by sending malicious SVG files. The flaw exploits improper sanitization of SVG animate tags to execute JavaScript in victim browsers, granting full account access without credentials. Security patches are available for versions 1.5.12 and 1.6.12, but deployment lags…

Roundcube CVE-2025-68461 XSS

Roundcube CVE-2025-68461: SVG XSS Vulnerability Enables Silent Email Account Takeover Through Malicious Animate Tags