CVE-2025-68461

HighCISA KEVActive Exploitation

Published: 18 December 2025

Published

18 December 2025

Modified

23 February 2026

KEV Added

20 February 2026

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0852 92.4th percentile

Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Description

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the XSS vulnerability by applying vendor patches to Roundcube Webmail versions 1.5.12 or 1.6.12.

SI-15 Information Output Filtering good match

prevent

Filters information output to the browser to prevent execution of XSS payloads from malicious SVG animate tags in webmail.

SI-10 Information Input Validation partial match

prevent

Validates inputs such as SVG documents to detect and block the animate tag exploitation leading to XSS.

Security SummaryAI

CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability affecting Roundcube Webmail versions before 1.5.12 and 1.6 before 1.6.12. The issue stems from improper handling of the animate tag within an SVG document, classified under CWE-79. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), highlighting its potential for cross-origin impact with low confidentiality and integrity effects.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation involves delivering a malicious SVG document containing an animate tag, enabling XSS payloads to execute in the context of the victim's browser session within the Roundcube Webmail interface.

Official advisories recommend updating to Roundcube Webmail 1.5.12 or 1.6.12 to mitigate the vulnerability, as outlined in the project's security update announcement and the patching GitHub commit. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog.

This CVE was published on 2025-12-18, with its inclusion in the CISA catalog indicating real-world exploitation.

Details

CWE(s): CWE-79
KEV Date Added: 20 February 2026

Affected Products

roundcube

webmail

≤ 1.5.12 · 1.6.0 — 1.6.12

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-68461 is an unauthenticated XSS vulnerability in the public-facing Roundcube Webmail application, directly enabling exploitation of public-facing applications via delivery of malicious SVG documents.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
Patch · cve@mitre.org
https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
Vendor Advisory · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68461
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0