CVE-2025-68461

What is Roundcube Webmail?

Roundcube is one of the most widely deployed open-source web-based email clients, used by internet service providers, universities, governments, and enterprises worldwide to provide browser-based email access. Because Roundcube renders HTML email content in the browser, its HTML sanitization is a critical security boundary — any bypass allows email senders to inject and execute JavaScript in the victim's browser context, enabling silent session theft and email account takeover.

Roundcube has been a persistent target for state-sponsored APTs. APT28 (Fancy Bear) exploited prior Roundcube XSS zero-days in 2023 for targeted email surveillance. Winter Vivern and other threat actors have also used Roundcube vulnerabilities to target government and diplomatic email accounts.

Overview

CVE-2025-68461 is a cross-site scripting vulnerability (CWE-79) in Roundcube Webmail triggered by an SVG <animate> tag with an attributeName value of xlink:href. The Roundcube HTML sanitizer (rcube_washtml) blocks SVG elements targeting href attributes, but its attribute_value() comparison method does not strip XML namespace prefixes before matching — allowing xlink:href to bypass the check. When a victim opens a malicious email containing the crafted SVG, the javascript: URI fires automatically in the browser, exfiltrating session cookies and email data without any click. CISA added this to the KEV catalog on February 20, 2026.

Affected Versions

Minimum recommended versions addressing all disclosed issues: 1.6.13 / 1.5.13.

Technical Details

The root cause is in the rcube_washtml HTML sanitizer's attribute_value() method. The sanitizer maintains a blocklist for dangerous SVG attribute values — specifically, it attempts to block SVG <animate> tags that set href attributes to javascript: URIs. The check compares the attribute name against the string "href".

An attacker uses attributeName="xlink:href" — the XML-namespaced form of the same attribute. Because xlink:href does not equal href in a naive string comparison without namespace stripping, the sanitizer does not detect the dangerous attribute, and the <animate> tag with a javascript: URI value is delivered to the victim's browser unsanitized.

When the browser renders the SVG animate element, it evaluates the javascript: URI automatically — no user click required. The XSS payload typically:

• Steals the Roundcube session cookie (if not HttpOnly)
• Exfiltrates email content by making authenticated API calls
• Potentially plants a persistent XSS payload in the victim's mailbox for future access

Key characteristics:

• No user interaction required — opening the email is sufficient (zero-click)
• No authentication required from the attacker — anyone can send an email
• The Changed scope (S:C) reflects that the XSS affects the victim's browser context broadly, not just the Roundcube application

Discovery

Reporter not publicly attributed. The three-week gap between the December 13 patch and February 20 KEV listing suggests targeted exploitation against specific high-value targets before broader discovery.

Exploitation Context

CISA confirmed active exploitation and added to the KEV catalog February 20, 2026. Roundcube's history of APT targeting (APT28, Winter Vivern) makes it plausible that the exploitation involved nation-state actors targeting government or diplomatic email accounts. The zero-click nature of the attack and the scope (any email sent to a Roundcube user) makes it particularly effective for mass surveillance operations.

Remediation

1. Upgrade to Roundcube 1.6.12 or 1.5.12 (or later patch releases 1.6.13/1.5.13+). The CISA deadline was March 13, 2026.
2. Enable HttpOnly flag on Roundcube session cookies — this prevents JavaScript from reading session cookies even if XSS fires. Verify in config/config.inc.php: $config['session_domain'] and web server cookie settings.
3. Implement a strict Content Security Policy (CSP) header that blocks inline JavaScript execution and restricts javascript: URIs.
4. Audit email logs for suspicious inbound emails with SVG content around and before February 20, 2026 — particularly if sent to high-value accounts (executives, IT administrators).
5. Rotate Roundcube session tokens for any accounts that may have received malicious emails while running a vulnerable version.
6. Enable DMARC, DKIM, and SPF — while these don't prevent the XSS from working, they help identify spoofed attacker emails that may have been used for delivery.