CVE-2026-48848: XSS
Published May 25, 2026
·Updated
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
Affected Software
1 affected component
Roundcube Roundcube Webmail>=1.6.0<1.6.16, <1.7
Event History
May 25, 2026
CVE Published
via MITRE·07:27 PM
Data Sourced
via MITRE·07:27 PM
DescriptionSeverityWeakness
Frequently Asked Questions
1
What is the severity of CVE-2026-48848?
The severity of CVE-2026-48848 is rated as high with a score of 7.2.
2
What are the affected versions for CVE-2026-48848?
CVE-2026-48848 affects Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.
3
How do I fix CVE-2026-48848?
To fix CVE-2026-48848, upgrade to Roundcube Webmail version 1.6.16 or 1.7.1 or later.
4
What type of vulnerability is CVE-2026-48848?
CVE-2026-48848 is classified as a Cross-Site Scripting (XSS) vulnerability due to insufficient HTML sanitization.
5
What impact does CVE-2026-48848 have on users?
CVE-2026-48848 may allow attackers to inject malicious CSS via SVG documents, potentially affecting user session security.