DEBIAN-CVE-2026-48848

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-48848

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48848.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-48848

Upstream

CVE-2026-48848

Published

2026-05-25T20:16:37.413Z

Modified

2026-05-26T09:00:08.472689088Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

References

https://security-tracker.debian.org/tracker/CVE-2026-48848

Affected packages

Debian:11 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source&distro=bullseye

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.11+dfsg.1-4

1.4.12+dfsg.1-1~bpo10+1

1.4.12+dfsg.1-1~deb11u1

1.4.13+dfsg.1-1~deb11u1~bpo10+1

1.4.13+dfsg.1-1~deb11u1

1.4.14+dfsg.1-1~deb11u1~bpo10+1

1.4.14+dfsg.1-1~deb11u1

1.4.15+dfsg.1-1~deb11u1~bpo10+1

1.4.15+dfsg.1-1~deb11u1

1.4.15+dfsg.1-1~deb11u2~bpo10+1

1.4.15+dfsg.1-1~deb11u2

1.4.15+dfsg.1-1+deb11u3

1.4.15+dfsg.1-1+deb11u4

1.4.15+dfsg.1-1+deb11u5

1.4.15+dfsg.1-1+deb11u6

1.4.15+dfsg.1-1+deb11u7

1.4.15+dfsg.1-1+deb11u8

1.5~beta+dfsg.1-1

1.5~beta+dfsg.1-2

1.5~beta+dfsg.1-3

1.5~beta+dfsg.1-4

1.5~rc+dfsg.1-1

1.5~rc+dfsg.1-2

1.5~rc+dfsg.1-3

1.5.0+dfsg.1-1

1.5.0+dfsg.1-2

1.5.1+dfsg-1

1.6~beta+dfsg-1

1.6~beta+dfsg-2

1.6~rc+dfsg-1

1.6~rc+dfsg-2

1.6.0+dfsg-1

1.6.0+dfsg-1.1

1.6.0+dfsg-2

1.6.1+dfsg-1

1.6.2+dfsg-1

1.6.3+dfsg-1~deb12u1

1.6.3+dfsg-1

1.6.3+dfsg-2

1.6.4+dfsg-1~deb12u1

1.6.4+dfsg-1

1.6.5+dfsg-1~deb12u1

1.6.5+dfsg-1

1.6.6+dfsg-1

1.6.6+dfsg-2

1.6.7+dfsg-1

1.6.8+dfsg-1

1.6.8+dfsg-2

1.6.9+dfsg-1

1.6.9+dfsg-2

1.6.10+dfsg-1

1.6.10+dfsg-2

1.6.11+dfsg-1

1.6.12+dfsg-1

1.6.13+dfsg-1

1.6.14+dfsg-1

1.6.15+dfsg-1

1.6.16+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48848.json"

Debian:12 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.1+dfsg-1

1.6.2+dfsg-1

1.6.3+dfsg-1~deb12u1

1.6.3+dfsg-1

1.6.3+dfsg-2

1.6.4+dfsg-1~deb12u1

1.6.4+dfsg-1

1.6.5+dfsg-1~deb12u1

1.6.5+dfsg-1

1.6.5+dfsg-1+deb12u2

1.6.5+dfsg-1+deb12u3

1.6.5+dfsg-1+deb12u4

1.6.5+dfsg-1+deb12u5

1.6.5+dfsg-1+deb12u6

1.6.5+dfsg-1+deb12u7

1.6.5+dfsg-1+deb12u8

1.6.6+dfsg-1

1.6.6+dfsg-2

1.6.7+dfsg-1

1.6.8+dfsg-1

1.6.8+dfsg-2

1.6.9+dfsg-1

1.6.9+dfsg-2

1.6.10+dfsg-1

1.6.10+dfsg-2

1.6.11+dfsg-1

1.6.12+dfsg-1

1.6.13+dfsg-1

1.6.14+dfsg-1

1.6.15+dfsg-1

1.6.16+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48848.json"

Debian:13 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.11+dfsg-1

1.6.12+dfsg-0+deb13u1

1.6.12+dfsg-1

1.6.13+dfsg-0+deb13u1

1.6.13+dfsg-1

1.6.14+dfsg-1

1.6.15+dfsg-0+deb13u1

1.6.15+dfsg-1

1.6.16+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48848.json"