CVE-2023-5631 — Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
Published
2023-10-18T14:51:18.443Z
Last modified
2025-10-21T23:05:34.074Z
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA KEV — Actively Exploited
01What is this vulnerability?
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
02Affected products
| Vendor | Product | Versions |
|---|
| Roundcube | Roundcubemail | 1.6.0, 1.5.0, 1.4.0, 1.6.4, 1.5.5, 1.5.15 |
03Active exploitation status
Yes — actively exploited. Added to the CISA KEV catalog on 2023-10-26. Ransomware use: Unknown.
04Recommended remediation
- Patch to a fixed version listed in the vendor advisory (see references below).
- Mitigate with WAF rules, network egress filters, or feature flags where the patch is not yet available.
- Hunt historical logs for exploitation indicators — see Detection signatures below.
05Technical details
For the full vendor write-up, exploit chains, and reference implementations, see the references list in section 09.
06Detection signatures
Open the Sigma generator with a pre-filled prompt for this CVE to draft a starting detection in your stack of choice:
Open in Sigma generator →
07Related CVEs
No directly-cited follow-up CVEs in the KB record for this advisory. The references list in section 09 carries the vendor cross-references.
08Timeline
- Published: 2023-10-18T14:51:18.443Z
- Last modified: 2025-10-21T23:05:34.074Z
- Added to CISA KEV: 2023-10-26
- BOD 22-01 due: 2023-11-16
09References
- github.com — https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf755…
- github.com — https://github.com/roundcube/roundcubemail/releases/tag/1.6.4
- github.com — https://github.com/roundcube/roundcubemail/releases/tag/1.5.5
- github.com — https://github.com/roundcube/roundcubemail/releases/tag/1.4.15
- github.com — https://github.com/roundcube/roundcubemail/issues/9168
- roundcube.net — https://roundcube.net/news/2023/10/16/security-update-1.6.4-released
- github.com — https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474…
- roundcube.net — https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
- bugs.debian.org — https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
- www.debian.org — https://www.debian.org/security/2023/dsa-5531
- lists.debian.org — https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html
- www.openwall.com — http://www.openwall.com/lists/oss-security/2023/11/01/1
- www.openwall.com — http://www.openwall.com/lists/oss-security/2023/11/01/3
- lists.fedoraproject.org — https://lists.fedoraproject.org/archives/list/[email protected]…
- www.openwall.com — http://www.openwall.com/lists/oss-security/2023/11/17/2
Want this in your SOAR or SIEM?
SARA's API returns EPSS, CVSS, KEV, and an analyst-grade summary in one call.
Read the API reference →