CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail that allows attackers to execute malicious JavaScript via SVG animate tags. This directly affects internet-facing webmail servers and can lead to email account takeover without user credentials.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-12-18
Added to CISA KEV: 2026-02-20 64 DAYS BETWEEN CVE AND KEV
Roundcube Webmail contains a Cross-Site Scripting vulnerability (CVE-2025-68461, CVSS 7.2) that enables attackers to hijack email accounts by sending malicious SVG files. The flaw exploits improper sanitization of SVG animate tags to execute JavaScript in victim browsers, granting full account access without credentials. Security patches are available for versions 1.5.12 and 1.6.12, but deployment lags among hosting providers and bundled installations.
Description. Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.MITRE: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 Types: Vendor Advisory. New CVE Received from MITRE 12/18/2025 12:15:56 AM. Action. Type.
... Severe, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 7.2, CVEs: CVE-2025-68461, CVE-2025-68460, Summary: CVE-2025-68461 (CVSS: 7.2): Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via ... This critical security patch resolves CVE-2025-68461, a cross-site scripting (XSS) vulnerability exploitable through crafted SVG animate tags, and CVE-2025-68460, an information disclosure flaw within the HTML style sanitizer .
This flaw is rated Moderate because successful exploitation requires user interaction - the victim must open an email containing a malicious SVG ...