CVE-2024-42009 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2024-08-05

Added to CISA KEV: 2025-06-09 308 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review email access logs, check for unauthorized email activities, verify user account integrity
Immediately update Roundcube to version 1.5.8 or 1.6.8+ which contain security fixes
Monitor email server logs for suspicious email viewing patterns or unexpected email sending activities
Educate users about suspicious emails that might contain XSS payloads
HIGH patch priority due to CISA KEV listing and confirmed exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2024-42009 is a critical Cross-Site Scripting (XSS) vulnerability affecting Roundcube Webmail ^[4].

Vulnerability Overview

Type: Stored Cross-Site Scripting (XSS) ^[2].
Root Cause: A desanitization issue in the `message_body()` function located in `program/actions/mail/show.php`, which fails to properly sanitize HTML content within email messages ^[3].

Exploitation Details

Attack Method: A remote attacker can send a specially crafted email message to a victim ^[3]. When the victim views this email, the malicious JavaScript payload executes within their browser session ^[6].
Requirements: No authentication is required for the attacker to send the malicious email. While it requires the victim to view the email, no further complex user interaction is typically needed to trigger the payload ^[1].
Impact: Successful exploitation allows an attacker to steal emails and contacts, and send emails from the victim's account ^[5]. It can also lead to persistent browser footholds or full account compromise ^[2].

Status and Mitigation

Affected Versions: Roundcube versions through 1.5.7 and 1.6.x through 1.6.7 ^[4].
Patch Status: The issue was addressed in Roundcube versions 1.5.8 and 1.6.8 ^[1]. Users are strongly advised to update to these versions or later to mitigate the risk.
PoC Availability: Proof-of-concept exploit code is publicly available on platforms like GitHub, demonstrating how the vulnerability can be used to exfiltrate data ^[2].

There is no widespread reporting of this specific CVE being used in major ransomware campaigns as of mid-2026, though its nature makes it a potent tool for targeted attacks, such as email espionage or account takeover.

Sources

CVE-2024-42009 - Exploits & Severity - Feedly
The XSS vulnerability CVE-2024-42009 in Roundcube versions 1.6.7 and below, and 1.5.7 and below, allows unauthenticated attackers to steal emails and contacts, as well as send emails from a victim's account with critical severity. ... The XSS vulnerability CVE-2024-42009 in Roundcube versions 1.6.7…
GitHub - DaniTheHack3r/CVE-2024-42009-PoC: CVE-2024-42009...
This repository contains a proof-of-concept (PoC) exploit for CVE-2024-42009 a stored Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail version 1.6.7 and other several versions. The exploit demonstrates how an attacker can inject malicious JavaScript in a message and take advantage of a…
NVD - CVE-2024-42009
An official website of the United States government Here's how you know ... CVE-2024-42009 Detail. Description. A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abus…
CVE-2024-42009 Detail - NVD
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim.
Roundcube flaws allow easy email account compromise (CVE-2024 ...
Roundcube XSS vulnerabilities (CVE-2024-42009, CVE-2024-42008) could be exploited to steal users' emails and contacts, and send emails.
Critical Cross-Site Scripting Vulnerability in Roundcube Webmail
When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser.