CVE-2026-48848
7.2
HIGH
CVSS 3.1
EPSS 0.04%
Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
How to fix CVE-2026-48848
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Debian/roundcube—no fix listed
Is CVE-2026-48848 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |