{"api_version":"1","generated_at":"2026-05-30T04:51:00+00:00","cve":"CVE-2026-48848","urls":{"html":"https://cve.report/CVE-2026-48848","api":"https://cve.report/api/cve/CVE-2026-48848.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48848","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48848"},"summary":{"title":"CVE-2026-48848","description":"Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.","state":"PUBLISHED","assigner":"mitre","published_at":"2026-05-25 20:16:37","updated_at":"2026-05-26 19:26:42"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"cve@mitre.org","type":"Secondary","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/roundcube/roundcubemail/releases/tag/1.7.1","name":"https://github.com/roundcube/roundcubemail/releases/tag/1.7.1","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27","name":"https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9","name":"https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.16","name":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.16","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1","name":"https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48848","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48848","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Roundcube","product":"Webmail","version":"affected 1.6.0 1.6.16 semver","platforms":[]},{"source":"CNA","vendor":"Roundcube","product":"Webmail","version":"affected 1.7.0 1.7.1 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"48848","cve":"CVE-2026-48848","epss":"0.000440000","percentile":"0.138520000","score_date":"2026-05-29","updated_at":"2026-05-30 00:13:25"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-48848","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-26T13:00:37.600791Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-26T13:00:52.631Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Webmail","vendor":"Roundcube","versions":[{"lessThan":"1.6.16","status":"affected","version":"1.6.0","versionType":"semver"},{"lessThan":"1.7.1","status":"affected","version":"1.7.0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*","versionEndExcluding":"1.6.16","versionStartIncluding":"1.6.0","vulnerable":true},{"criteria":"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*","versionEndExcluding":"1.7.1","versionStartIncluding":"1.7.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-25T19:27:54.841Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"},{"url":"https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"},{"url":"https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9"},{"url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"},{"url":"https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27"}],"x_generator":{"engine":"CVE-Request-form 0.0.1"}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2026-48848","datePublished":"2026-05-25T19:27:54.841Z","dateReserved":"2026-05-25T19:27:54.328Z","dateUpdated":"2026-05-26T13:00:52.631Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-25 20:16:37","lastModifiedDate":"2026-05-26 19:26:42","problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.7}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48848","Ordinal":"1","Title":"CVE-2026-48848","CVE":"CVE-2026-48848","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48848","Ordinal":"1","NoteData":"Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.","Type":"Description","Title":"CVE-2026-48848"}]}}}